Update now! Apple releases critical iOS and iPadOS patches to fix a VoiceOver vulnerability that could expose your saved passwords. Protect your data today!

Continue reading
Apple has released critical updates for iOS and iPadOS to address two significant security issues, one of which could have allowed a user's passwords to be read aloud by the VoiceOver assistive technology.
The first vulnerability, tracked as CVE-2024-44204, is a logic flaw in the new Passwords app that impacts a wide range of iPhones and iPads. Security researcher Bistrit Daha discovered and reported this flaw to Apple.
>>> _"A user's saved passwords may be read aloud by VoiceOver,"_ Apple stated in an advisory released this week. The issue was resolved with improved validation.
The vulnerability impacts the following devices:
iPhones:
iPads:
CVE-2024-44207: Audio Capture Before Microphone Indicator Activation
Apple also patched a security vulnerability identified as CVE-2024-44207, specific to the newly launched iPhone 16 models. This flaw resides in the Media Session component.
The vulnerability allows audio to be captured before the microphone indicator is activated, potentially leading to unauthorized audio recording.
> _"Audio messages in Messages may be able to capture a few seconds of audio before the microphone indicator is activated,"_ Apple noted.
The issue has been fixed with improved checks. Apple credited Michael Jimenez and an anonymous researcher for reporting it.
Recommended Actions
Users are advised to update their devices to safeguard against these vulnerabilities.
For iPhones:
For iPads:
These vulnerabilities could potentially allow unauthorized access to sensitive information and compromise user privacy. Updating your device ensures that these security flaws are patched. Apple's prompt response to these vulnerabilities highlights the importance of keeping your devices updated. Users are encouraged to install the latest updates immediately to maintain security and privacy.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.