Apple has released updates to fix security flaws on iPhone, iPad, and Mac devices, after admitting the vulnerabilities could have been “actively exploited” by threat actors.
The vulnerability is believed to have allowed hackers to break into WebKit, the engine that powers Apple’s Safari web browser. After gaining an initial foothold, threat actors can then take control of the device’s operating system (OS) to “execute arbitrary code” and potentially infiltrate the device via “maliciously crafted web content”.
Regarding affected devices, Apple mentioned iPhones with model 6S, iPad 5th generation and later, iPad Air 2 and later, iPad mini 4 and later, all iPad Pro and iPod touch models. 7th generation.
Mac computers running the company’s Monterey OS are also affected, along with Apple’s Safari browser on Big Sur and Catalina OS.
The company released patches for the vulnerabilities Wednesday through Friday, which are now listed on Apple’s security update website.
“Apple has released security updates to address vulnerabilities in macOS Monterey, iOS, and iPadOS, and Safari,” the Cybersecurity and Infrastructure Agency (CISA) wrote in an advisory Thursday.
“CISA encourages users and administrators to review Apple’s security update page for the following products and apply the necessary updates as soon as possible.”
This view is also echoed by SocialProof Security CEO Rachel Tobac on Twitter on Thursday.
“Apple has found that two zero days of active use can give attackers full access to a device,” she wrote. “For most people: software updates at the end of the day. If the threat model is advanced (journalist, activist, target country, etc.): update now. “
However, despite releasing patches for the vulnerability, the iPhone maker did not mention how, where or by whom the vulnerabilities were discovered, citing an anonymous researcher.
The news comes weeks after Apple first announced a new set of iPhone features called ‘Lockdown Mode’.
Commenting on the story, Muhammad Yahya Patel, security evangelist at Check Point, said: “We urge everyone with affected Apple devices to update to the latest software as soon as possible. Cybercriminals will be on the lookout for any device that hasn’t updated its software to access personal information, introduce malware, or gain access to a corporate network. Apple has stated this vulnerability could have been exploited against users. The threat landscape is evolving rapidly, and mobile vulnerabilities and malware are a significant and often overlooked danger to both personal and business security. “