Distinct solutions for macOS and iOS have been developed to rectify unique vulnerabilities found in the kernel and WebKit. These vulnerabilities could potentially let malicious entities seize control of devices, a threat which is currently being targeted.
Apple is fervently encouraging those who use macOS, iPhone, and iPad to promptly apply the relevant system updates released this week. These updates contain solutions for two actively exploited zero-days, which are weaknesses that allow cyber attackers to run arbitrary code, potentially gaining full control over the devices.
Fixes have been made accessible for devices impacted and operating on iOS 15.6.1 and macOS Monterey 12.5.1. These corrections tackle two vulnerabilities, essentially affecting any Apple gadget capable of running iOS 15 or the Monterey variant of its desktop operating system, as per the security updates rolled out by Apple on Wednesday.
A glitch, identified as a kernel bug (CVE-2022-32894), exists in both iOS and macOS. In Apple’s words, this is an “out-of-bounds write problem” that has been tackled by enhancing the bounds checking procedure.
The flaw enables a program to carry out any code with kernel rights, as per Apple. In their typical ambiguous style, they mentioned that there’s an allegation of it potentially being manipulated actively.
The second vulnerability is labelled as a WebKit glitch (monitored as CVE-2022-32893), which represents an out-of-bounds write problem that Apple has tackled with enhanced bounds verification. This glitch enables the handling of malevolently designed web content that could potentially trigger code execution, and is also reportedly being actively exploited, as per Apple’s updates. WebKit is essentially the browser engine that fuels Safari and all other non-proprietary browsers operating on iOS.
Situation Similar to Pegasus
The uncovering of these defects, which we know only a little more about beyond what Apple has revealed, is attributed to an unnamed investigator.
A specialist voiced concerns that the recent vulnerabilities in Apple products “could potentially grant full device control to hackers,” They could possibly replicate a situation akin to the Pegasus incident where government-backed Advanced Persistent Threats (APTs) bombarded victims with spyware crafted by the Israeli NSO Group, exploiting a weakness in the iPhone.
“Most people should aim to update their software by the end of the day,” Rachel Tobac, the head of SocialProof Security, advised in a tweet about the zero-days. “For those with a higher risk profile such as journalists, activists, or individuals targeted by national governments, you should update immediately,” Tobac cautioned.
An Overflow of Zero-Days
Google this week disclosed other updates alongside the revelation of its multiple vulnerabilities. It was also reported that they were in the process of fixing their fifth zero-day this year for their Chrome browser, a random code execution glitch that is currently under aggressive assault.
The recent announcement of added weaknesses in the systems of leading tech firms, targeted by cyber attackers, underscores the ongoing struggle these tech giants face. This is despite their utmost attempts to resolve persistent security problems in their software, as observed by Andrew Whaley, the Senior Technical Director at Promon, a prominent app security firm based in Norway.
The vulnerabilities in iOS are particularly concerning, considering the widespread use of iPhones and the complete dependence of users on mobile devices for their everyday activities, he mentioned. Nevertheless, the responsibility doesn’t solely lie with the manufacturers to safeguard these devices, but also with the users to have a heightened awareness of potential threats, as noted by Whaley.
“Despite our heavy dependence on our mobile gadgets, they aren’t impervious to threats. Hence, it’s crucial for us, as users, to stay vigilant in the same way we do with desktop operating systems,” he communicated to Threatpost via email.
Simultaneously, creators of applications for iPhones and other portable gadgets should incorporate an additional security feature in their software. This will reduce their dependence on the operating system’s security, which often has vulnerabilities, as noted by Whaley.
“From what we’ve observed, this isn’t occurring as often as it should, possibly exposing banking and various other clients to risks,” he stated.