Apple security flaw ‘actively exploited’ by hackers to fully control devices | apple
Apple users have been urged to immediately update their iPhones, iPads and Macs to protect against a pair of security vulnerabilities that could allow attackers to take complete control of their devices.
In both cases, Apple said, there are credible reports that hackers are already abusing the vulnerabilities to attack users.
One of the software vulnerabilities affects the kernel, the deepest layer of the operating system shared by all devices, Apple said. The second affects WebKit, the underlying technology of the Safari browser.
For each of the bugs, the company said it was “aware of a report that this issue may have been actively exploited,” though it did not provide further details. It credited one or more anonymous researchers with revealing both.
Anyone with an iPhone released since 2015, an iPad released since 2014, or a Mac running macOS Monterey can download the update by opening the settings menu on their mobile device, or selecting “software update” from the “about this Mac” menu on their computer.
Rachel Tobac, CEO of SocialProof Security, said Apple’s explanation of the vulnerability meant that a hacker could gain “full admin access to the device” so they could “run any code as if they were you, the user.”
Those who should pay particular attention to updating their software are “people who are in the public eye,” such as activists or journalists who could be targets of sophisticated nation-state espionage, Tobac said.
Until the fix was released on Wednesday, the vulnerabilities would have been classified as “zero-day” bugs, because there has been a fix available for them for zero days. Such vulnerabilities are hugely valuable on the open market, where cyber arms brokers will buy them for hundreds of thousands or millions of dollars.
The broker Zerodium, for example, will pay “up to $500,000” for a security weakness that can be used to hack a user through Safari, and up to $2 million for a fully developed piece of malware that can hack an iPhone without a user having to click something. The company says the customers for such vulnerabilities are “government institutions (mainly from Europe and North America)”.
Commercial spyware companies such as Israel’s NSO Group are known to identify and exploit such flaws, exploiting them in malware that stealthily infects targets’ smartphones, siphons their contents and monitors the targets in real time.
NSO Group is blacklisted by the US Commerce Department. Spyware is known to have been used in Europe, the Middle East, Africa and Latin America against journalists, dissidents and human rights activists.
Will Strafach, a security researcher, said he had not seen any technical analysis of the vulnerabilities that Apple has just patched. The company has previously acknowledged similar serious flaws, and on what Strafach estimated to be perhaps a dozen times, noted that it was aware of reports that such security holes had been exploited.