Apple’s MIE, Fake Chrome Ext, and C2PA Content Credentials in Google Pixel

Notable security news for the week of Sept 7–13th, 2025, brought to you by the F5 Security Incident Response Team. This week, your editor is Dharminder. In this edition, I have security news about Apple’s new memory safety system called Memory Integrity Enforcement. I also talk about fake Chrome extensions that can take over Meta business accounts. Google has introduced Trusted Photography with C2PA Content Credentials in Google Pixel, which is a big step towards digital media transparency. CISA has also issued an alert about the Dassault DELMIA Apriso RCE vulnerability that is being used by people.

We at F5 SIRT invest a lot of time to understand the frequently changing behaviour of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency, please contact F5 SIRT.

Ok, let’s get started and see the details of the security news.

 

Apple’s Memory Integrity Enforcement

Apple has introduced Memory Integrity Enforcement (MIE), an advanced built-in memory safety system that combines hardware and software to protect critical components of Apple devices without compromising performance. MIE is designed to block memory corruption-based attacks, including buffer overflows, use-after-free vulnerabilities, speculative side-channel leaks, and kernel exploits.

MIE is built on three foundational components:

• Typed and Secure Memory Allocators: Allocators like kalloc_type, xzone malloc, and WebKit’s libpas are used to organize memory by type, significantly limiting exploitation opportunities by isolating memory usage patterns.
• Enhanced Memory Tagging Extension (EMTE) in Synchronous Mode: EMTE tags memory allocations and ensures that memory accesses are matched with the appropriate tags. Any mismatched tags are detected and blocked at the hardware level.
• Tag Confidentiality Enforcement: This ensures that memory tags remain confidential, preventing potential leaks through side channels or speculative execution vulnerabilities.

Apple developed MIE iteratively over five years, enhancing ARM’s original Memory Tagging Extension (MTE) specification to deliver always-on protection with high performance. The system is deeply integrated into Apple’s latest A19 and A19 Pro chips, featured in the iPhone 17 lineup and the new iPhone Air. For developers, EMTE support will be accessible via Xcode’s new “Enhanced Security” features.

Extensive testing by Apple’s offensive security research team against exploit chains and known memory corruption methods demonstrated that MIE effectively neutralizes many common attack strategies. The remaining vulnerabilities are rare, dependent on improbable conditions, and highly impractical for crafting a full exploit chain.

In summary, Memory Integrity Enforcement represents Apple’s most ambitious and comprehensive memory safety enhancement to date. With always-on, hardware-assisted protection across key attack surfaces, MIE significantly increases the cost and complexity for attackers attempting to compromise Apple devices.

https://security.apple.com/blog/memory-integrity-enforcement/

https://thehackernews.com/2025/09/fake-madgicx-plus-and-socialmetrics.html

 

Fake Chrome Extensions Hijack Meta Business Accounts via Malvertising Campaigns

Security researchers have uncovered two interconnected campaigns distributing malicious Chrome extensions—Madgicx Plus and SocialMetrics Pro—aimed at hijacking Meta business accounts. Attackers leverage malvertising, fake websites, and deceptive branding to trick users into installing these extensions, which subsequently steal credentials and session cookies for Facebook and Instagram accounts.

SocialMetrics Pro : This extension is promoted through advertisements and tutorials falsely claiming to provide features such as unlocking verified blue badges or accessing exclusive account tools. The extension, hosted on legitimate cloud platforms like Box, harvests cookies, collects IP data via ipinfo.io, and transmits stolen information to attackers using Telegram bots. Some versions even exploited the Facebook Graph API to extract additional account details, enabling more extensive compromises.

Madgicx Plus: Impersonating a legitimate AI-powered ad optimization tool, Madgicx Plus continues to appear on the Chrome Web Store in certain cases. Targeting advertisers, it promises business insights and ROI improvements but instead intercepts browser traffic, steals credentials, and hijacks Meta business sessions. This access allows attackers to take control of ad accounts, causing significant damage.

Coordinated Campaigns

Both campaigns share infrastructure, techniques, and domain reuse, strongly suggesting a coordinated operation. The presence of Vietnamese-language tutorials and code comments within the extensions shows potential links to Vietnamese-speaking threat actors.

Impact

The consequences of these attacks are severe. Hijacked Meta business accounts could be resold on dark web marketplaces or exploited to run additional malvertising campaigns, perpetuating the cycle of compromise.

Mitigation Steps

To minimize risk, users and advertisers should take the following precautions:

• Avoid installing unverified extensions.
• Verify the legitimacy of the publishers before downloading any software.
• Scrutinize extension permissions carefully.
• Regularly monitor account activity for suspicious behavior.
• Immediately remove any unused or suspicious browser add-ons.

Proactive extension management and thorough account oversight are essential to prevent account takeovers and mitigate financial and operational abuse.

https://thehackernews.com/2025/09/fake-madgicx-plus-and-socialmetrics.html

https://www.cybereason.com/blog/chrome-extension-campaign-madgicx

 

Pixel 10 Brings Trusted Photography with C2PA Content Credentials

Google’s Pixel 10 phones now integrate C2PA Content Credentials into every photo captured using the native Pixel Camera app, representing a significant step toward enhancing digital media transparency.

Key Highlights:

• The Pixel Camera has achieved Assurance Level 2 under the C2PA Conformance Program—the highest level currently attainable for a mobile application.
• Google employs a privacy-by-design certificate system, ensuring that no image or group of images can be linked to a specific user or connected to each other through identifiable markers.
• Pixel 10 features on-device, trusted timestamps, allowing photos to remain verifiable even if the certificate expires or if the device was offline at the time the photo was taken.

Hardware Support:

These capabilities are underpinned by robust hardware, including the Tensor G5 chip, Titan M2 security module, and Android's hardware-backed APIs. Additional secure features like StrongBox and Android Key Attestation further strengthen the implementation.

Provenance Model:

Google defines its provenance model based on three critical principles:

1. End-to-end security, from silicon to applications.
2. Verifiability without personal identifiability.
3. Offline functionality.

Privacy Protections:

To safeguard user privacy, Google employs several measures:

• Unique certificates are generated per image to prevent traceability.
• Anonymous attestation is used for key generation.
• No logs—such as IP addresses—are created to link users to certificates.

Utilization:

The Pixel Camera attaches credentials to every JPEG image captured, and Google Photos displays these credentials in the image metadata when the photo is edited using AI or other tools, or when credential-bearing JPEGs are viewed.

Impact:

This implementation significantly enhances user trust by verifying image authenticity and validating edits made using AI or other tools, contributing to a more transparent digital media ecosystem. Google is actively encouraging other developers and platforms to adopt similar models to further advance trust and transparency in the realm of media creation and editing.

https://security.googleblog.com/2025/09/pixel-android-trusted-images-c2pa-content-credentials.html

https://www.bleepingcomputer.com/news/security/pixel-10-fights-ai-fakes-with-new-android-photo-verification-tech/

 

CISA Alerts on Actively Exploited Dassault DELMIA Apriso RCE Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory regarding an actively exploited remote code execution (RCE) vulnerability in DELMIA Apriso, a manufacturing operations and execution system (MES/MOM) developed by Dassault Systèmes. The vulnerability, tracked as CVE-2025-5086 (CVSS v3 score 9.0), stems from the deserialization of untrusted data and impacts all versions from Release 2020 through Release 2025.

DELMIA Apriso is widely used for production scheduling, quality and resource management, warehousing, and shop-floor system integration across various industries, including high-tech, automotive, electronics, aerospace, and industrial machinery, making the flaw especially concerning.

Security researcher Johannes Ullrich revealed that threat actors are exploiting this vulnerability by sending SOAP requests containing a Base64-encoded, GZIP-compressed .NET executable embedded within XML. The executable is specifically designed for Windows-based systems, and these exploit attempts have been observed scanning for vulnerable endpoints.

In response, CISA has added CVE-2025-5086 to its Known Exploited Vulnerabilities (KEV) catalog. U.S. federal agencies have been given a deadline of October 2 to apply available patches or mitigation measures for DELMIA Apriso—or cease its usage entirely. While the advisory is binding for federal agencies, CISA urges private sector organizations globally to take immediate action.

Recommended Actions from CISA

Enterprises leveraging DELMIA Apriso should take the following steps as a priority:

• Apply patches or vendor-provided mitigations without delay.
• In high-risk environments, disable or isolate vulnerable systems until fixes have been implemented and verified.
• Monitor incoming SOAP endpoint requests and filter out suspicious Base64-encoded payloads.
• Employ comprehensive detection systems to identify deserialisation attack patterns.

Continuous monitoring, proactive defenses, and rapid remediation are crucial to minimizing exposure and mitigating potential damage. Organizations should remain vigilant and treat this advisory with urgency, given the risk of exploitation in critical manufacturing industries.

https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-exploited-dassault-rce-vulnerability/

https://thehackernews.com/2025/09/critical-cve-2025-5086-in-delmia-apriso.html