- Both vulnerabilities were found by Apple in WebKit, the browser engine that powers Safari and other apps, and Kernel, essentially the core of the operating system.
- Kernel and WebKit flaws could allow arbitrary code execution on Apple devices.
- Users are encouraged to install emergency software updates, although Apple has not yet disclosed the extent to which the flaw has been exploited.
In an earnings call covering the first fiscal quarter of 2022, Apple CEO Tim Cook shared that there are over 1.8 billion active devices worldwide — a number that doesn’t come as much of a surprise considering how Apple’s devices are best-bet for built-in privacy. But even the most privacy-sensitive large technology company can be compromised and this week’s revelation by Apple about the operating system (Operating system) is proof that no one is exempt.
The company warned users worldwide about a flaw in the Apple OS that allows hackers to take control of iPhones, iPads and Mac computers. Apple then instructed users of most of its devices to update their software, as the vulnerability in their operating systems “may have been actively exploited.” The two vulnerabilities were found in WebKit, the browser engine that powers Safari and other apps, and Kernel, essentially the core of the operating system.
Detail of the errors on the Apple OS
Apple said the WebKit flaw can be exploited if a vulnerable device accesses or processes “malicious web content [that] could lead to the execution of arbitrary code,” while the second flaw allowed a malicious application to “execute arbitrary code with kernel privileges,” meaning it has full access to the device. The two flaws are believed to be related and affect both iOS and iPadOS and macOS Monterey.
Simply put, a cybercriminal can implant malware on your device even if all you did was view an otherwise innocent website. When Apple security updates posted online Wednesday and Thursday, the tech giant also stated that the vulnerability it found affects iPhones dating back to the 6S model, iPad 5th generation and later, iPad Air 2 and later, iPad mini 4 and later, all iPad Pro models and the 7th generation iPod touch.
The vulnerability also extends to Mac computers running the company’s Monterey OS as well as Apple’s Safari browser on Big Sur and Catalina OS, the company said in a subsequent update. Sophos Senior Technologist, Paul Ducklin in a blog post shared that kernel flaws almost certainly mean an attacker could: spy on any currently running apps; download and launch multiple apps without going through the App Store; access almost any data on the device; change system security settings; retrieve your location; even take screenshots and view the cameras in the device; activate the microphone; copy text messages and definitely track your browsing.
“Apple has not said how these bugs were found (other than to credit ‘an anonymous researcher’), has not said where in the world they have been exploited, and has not said who is using them or for what purpose,” said Paul and added that the best thing to do is to “patch right away!” This round of vulnerabilities represents the fourth and fifth zero-day error patched by Apple this year.
At this point, the number may only be on its way to meeting or replacing the number of these types of vulnerabilities that Apple was forced to respond to with fixes last yearwhich was 12, according to security researchers at Google, which holds a spreadsheet of zero-day errors categorized by supplier.