It’s too dangerous to wait – millions of iPhone owners were asked to enable “emergency switching” today
APPLE users have been urged to update their software immediately or risk having their devices hacked.
On Wednesday, Russian cybersecurity firm Kaspersky asked all Apple users to update iOS and macOS as soon as possible.
That’s because the latest versions of iOS (16.3.1) and macOS (Ventura 13.2) have fixed critical vulnerabilities.
These vulnerabilities are tracked as CVE-2023-23530 and CVE-2023-23531.
Kaspersky said in a blog post that these two flaws are dangerous because they allow threat actors to bypass Apple’s security restrictions.
“This makes it possible to write a malicious app that steals data (such as the user’s correspondence or random photos from the gallery) from other apps,” the cybersecurity firm explained.
In the past, similar techniques saw bad actors spread the infamous Pegasus malware, which was used to gain access to users’ data.
Now, vulnerabilities CVE-2023-23530 and CVE-2023-23531 have become new ways to work around these limitations.
The first, CVE-2023-23530, stems from exactly how Apple addressed the issue, Kaspersky said.
Specifically, Apple prepared extensive rejection lists of classes and methods that posed an obvious security risk.
However, by using methods not included in the rejection lists, threat actors could wipe the lists clean and then use the entire set of methods and classes.
The second vulnerability, CVE-2023-23531, is related to how processes within iOS and macOS interact with each other and how the data receiving process filters incoming information,” Kaspersky revealed.
“Simply put, the process of sending data can add a ‘content verified’ tag, and then feed the receiving process with a malicious script, which in some cases will be executed without verification,” they added.
Moreover, these two techniques for bypassing security checks also pave a number of other vulnerabilities.
“Attackers can use these vulnerabilities to gain access to user data and dangerous operating system functions, and even install applications (including system),” Kaspersky said.
“In other words, CVE-2023-23530 and CVE-2023-23531 can be used to create FORCEDENTRY-type exploits,” they continued.
What can I do?
Apps and Kaspersky both recommend that users update to the latest iOS and macOS software immediately.
To do this on an iPhone or iPad, go to Settings > General > Software Update.
Once there, click the “Update” button to launch and install the new software.
From your Mac, tap the Apple icon > System Preferences > General > Software Update.