Apple devices are once again in need of urgent security updates to protect against three zero-day vulnerabilities that are being actively exploited by hackers. The vulnerabilities affect iPhones, iPads, Macs, Apple Watch, and Safari users.
Key Takeaway
Apple has released urgent security updates to fix three zero-day vulnerabilities actively exploited by hackers. These vulnerabilities can result in unauthorized access to devices and have been used to plant the Predator spyware on the phone of an Egyptian presidential candidate. Earlier this month, Apple also patched a zero-click vulnerability that allowed the installation of the Pegasus spyware. Users are urged to update their Apple devices promptly to protect against these threats.
Vulnerabilities Exploited:
The three vulnerabilities include:
- A flaw in WebKit, the browser engine powering Safari.
- A certificate validation bug that allows malicious apps to run on affected devices.
- A bug that provides broader access to the kernel, the core of the operating system.
These vulnerabilities are part of an exploit chain, where they are combined to gain unauthorized access to a target’s device.
Immediate Action by Apple:
Apple has taken swift action by releasing security updates to address these vulnerabilities. The updates have been made available for iOS 16.7 and earlier, as well as older versions of macOS Ventura and Monterey, and watchOS.
It is worth noting that these updates come shortly after the release of iOS 17, which introduced enhanced security and privacy features to mitigate the risk of cyberattacks, including spyware.
Exploit Used to Plant Predator Spyware:
Google researcher Maddie Stone and Citizen Lab’s Bill Marczak uncovered the three vulnerabilities. In their blog posts, they confirmed that Apple’s latest updates were designed to block an exploit used to plant the Predator spyware on the phone of an Egyptian presidential candidate.
Predator, developed by Cytrox, a subsidiary of Intellexa, is a spyware capable of stealing sensitive data from a targeted individual’s phone. Cytrox and Intellexa were both added to a U.S. government denylist earlier this year, resulting in a ban on U.S. companies doing business with them.
Previous Zero-Day Vulnerability:
In addition to this recent security update, Apple issued another high-profile security update earlier this month. It addressed a zero-click vulnerability that allowed the Pegasus spyware, developed by NSO Group, to be planted on a fully up-to-date iPhone.
This vulnerability, named BLASTPASS by Citizen Lab, was part of an exploit chain that leveraged PassKit, a framework enabling developers to incorporate Apple Pay into their apps.
These security breaches highlight the constant need to update devices to ensure the latest protections against zero-day vulnerabilities. Users are strongly advised to update their Apple devices immediately to stay secure.