CUPERTINO — Apple disclosed a serious security vulnerability for iPhones, iPads and Macs that could potentially allow attackers to take complete control of these devices.
Apple released two security reports about the issue on Wednesday, although they didn’t receive wide attention outside of tech publications.
The Cupertino-based company’s explanation of the vulnerability means a hacker could get “full admin access” to the device. That would allow intruders to impersonate the device’s owner and subsequently run any software in their name, said Rachel Tobac, CEO of SocialProof Security.
Security experts have advised users to update affected devices – the iPhone6S and later models; several models of the iPad, including the 5th generation and later, all iPad Pro models and the iPad Air 2; and Mac computers running MacOS Monterey. The flaw also affects some iPod models.
Apple did not say in the reports how, where or by whom the vulnerabilities were discovered. In all cases, it cited an anonymous researcher.
Commercial spyware companies such as Israel’s NSO Group are known for identifying and taking advantage of such flaws, exploiting them in malware that surreptitiously infects targets’ smartphones, siphons their contents and surveils the targets in real time.
NSO Group has been blacklisted by the U.S. Commerce Department. Its spyware is known to have been used in Europe, the Middle East, Africa and Latin America against journalists, dissidents and human rights activists.
Security researcher Will Strafach said he had seen no technical analysis of the vulnerabilities that Apple has just patched. The company has previously acknowledged similarly serious flaws and, in what Strafach estimated to be perhaps a dozen occasions, has noted that it was aware of reports that such security holes had being exploited.
Apple releases iOS, iPadOS and macOS security fixes for two zero-days under active attack
Apple released surprise software updates for iPhones, iPads and Macs on Wednesday that fix two security vulnerabilities known by Apple to be actively exploited by attackers.
The two vulnerabilities were found in WebKit, the browser engine that powers Safari and other apps, and the kernel, essentially the core of the operating system. The two flaws affect both iOS and iPadOS and macOS Monterey.
Apple said the WebKit bug could be exploited if a vulnerable device accessed or processed “maliciously crafted web content [that] may lead to arbitrary code execution,” while the second bug allowed a malicious application “to execute arbitrary code with kernel privileges,” which means full access to the device. The two flaws are believed to be related.
Some successful exploits, such as powerful nation-state spyware, use two or more vulnerabilities in conjunction to break through a device’s layers of protections. It’s not uncommon for attackers to first target a vulnerability in the device’s browser as a way to break into the wider operating system, granting the attacker wide access to the user’s sensitive data.
Apple said iPhone 6s models and later, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation), and all iPad Pro models are affected.
Apple did not respond to a request for comment.