Apple has rolled out an urgent update for iPhones, Macs, and iPads, urging users to install it immediately. Failing to update your Apple device leaves it at risk of being attacked by hackers, the tech giant has warned.
Apple revealed that the update in question patches a major security issues. Hackers can reportedly exploit it to break into an Apple device that hasn’t been updated through its browser.
The new update is numbered 17.1.2 for iOS and iPadOS, while for Mac devices, it’s MacOS 14.1.2. Apple also released an update for the Safari browser, fixing the problem.
A Deeper Look at the Security Flaw
Hackers exploiting the vulnerability could potentially carry out “arbitrary code execution”. In simpler words, they would have full access to run any code they wish on the breached device.
All devices and platforms from Apple that allow browsing the web have been affected by the issue. This means devices such as Apple Watch and TV are unaffected by the issue and do not need to be updated.
Apple typically doesn’t reveal much detail about security flaws to prevent other hackers from exploiting them. As such, the tech giant refuses to “disclose, discuss, or confirm” issues at all until it has already fixed them.
However, Apple was “aware of a report that this issue may have been exploited” with devices run on early versions of iOS, the company confirmed.
The issue was discovered by Clément Lecigne, a security engineer from Google’s Threat Analysis Group, or TAG. The group works to track nation-state hacking and identify threats against Google and its users, with a track record of uncovering major cybersecurity flaws in the past.
On Thursday, Apple assured that it was already working on fixing two of these vulnerabilities.
In a time span of only 48 hours, TAG recently reported 3 high-severity zero-day vulnerabilities on Apple’s OSes that are under active exploitation.
Both these issues originate in Webkit, the engine behind Apple’s Safari browser and several other applications.
The first of the two bugs, which is tracked as CVE-2023-42916, enables hackers to acquire sensitive information when specially crafted content is processed by WebKit-powered applications.
The second one, CVE-2023-42917, happens to be a memory corruption flaw due to which vulnerable devices execute malicious code while processing corrupted content created by hackers for Webkit-powered apps.
Understandably, the two bugs complement each other and could be exploited together for arbitrary code executions.
Multiple Security Updates Rolled Out by Apple in 2023
This year saw Apple rolling out several security updates, which might indeed be worrying. The two new bugs fixed in the latest update happen to be the 19th and 20th such vulnerabilities discovered in 2023.
While many of these bugs were relatively smaller issues, spyware such as Predator and Pegasus could still exploit them. Both these spyware are known to be used by governments to snoop on activists and journalists.
The good news is that Apple is investing heavily in identifying security flaws in its devices and has released several security features, including a lockdown mode.
The company has hired a team of elite engineers equipped with lasers, fine-tuned sensors, and other advanced technologies to try and find hardware-related vulnerabilities.
While security flaws in software can be fixed by releasing patch updates, not much can be done about the hardware once a customer buys a device.