Apple reveals security vulnerabilities affecting iPhones and iPads

World scrambles to update their iPhones, iPads and Macs after Apple revealed hackers could ‘exploit’ security flaw granting them access to EVERYTHING from bank accounts, social media, private photos, emails and personal contacts

Apple has disclosed serious security vulnerabilities for certain models of iPhones, iPads and Macs
Security experts say issues could potentially allow attackers to take complete control of the devices
iPhone 6S and later models; and several models of the iPad from 5th generation all affected by issues
Also affected are iPad Pros, iPad Mini 4 and later, iPad Air 2 and later and Macs on MacOS Monterey

Apple users were today urged to update their devices after the firm disclosed serious security vulnerabilities for iPhones, iPads and Macs that could potentially allow attackers to take complete control of these devices.

The US company said it is ‘aware of a report that this issue may have been actively exploited’ and released two security reports about the issue on Wednesday, but they have only now received more widespread attention.

Security experts told users to update affected devices – the iPhone 6S and later models; and several models of the iPad, including the 5th generation and later, all iPad Pros, the iPad Mini 4 and later and the iPad Air 2 and later.

Mac computers on MacOS Monterey and the iPod Touch 7th generation are also affected. The two issues were found in WebKit, the browser engine that powers Safari; and the Kernel, which is the core of the operating system.

In an update on its support page, Apple said one of the flaws means a malicious application ‘may be able to execute arbitrary code with Kernel privileges’ – which has been described as meaning full access to the device.

Andy Norton, chief cyber risk officer at Armis, told MailOnline today: ‘This clearly has wide reaching implications. Apple products have become a mainstay of everyday life, facial recognition, banking apps, health data.

‘Pretty much everything we hold dear resides on our Apple products. Historically, many people have not updated their Apple products for fear of shortening the life span of their devices. That behaviour now must change.’

The update can be obtained by going to the ‘Settings’ or ‘System Preferences’ section of a device, and choosing the ‘Software Update’ option. It is not required for older operating systems such as macOS Cataline and Big Sur.

Apple chief executive Tim Cook holds the iPhone 13 Pro Max and Apple Watch 7 in Cupertino, California, last September

Apple released two security reports about the issue on Wednesday, and they have now received more widespread attention

The two vulnerability issues now fixed by Apple in iOS 15.6.1 are a vulnerability in the iPhone Kernel and the flaw in WebKit

Apple’s explanation of the vulnerability means a hacker could get ‘full admin access’ to the device, which would allow intruders to impersonate the device’s owner and subsequently run any software in their name.

Jake Moore, Dorset-based global cybersecurity advisor at ESET Internet Security explained to MailOnline today how the vulnerabilities could potentially allow hackers to take complete control of devices.

Key details: What is the Apple update and what devices are affected?

What is the update to?

iOS 15.6.1
iPadOS 15.6.1

What devices are affected?

iPhone (6s and later)
iPad Pro (all models)
iPad Air (2 and later)
iPad (5th generation and later)
iPad Mini (4 and later)
iPod Touch (7th generation)
Mac computers (on MacOS Monterey)

Where were the issues found?

WebKit (browser engine that powers Safari)
Kernel (core of the operating system)

What were the vulnerabilities called?

WebKit – ‘CVE-2022-32893’
Kernel – ‘CVE-2022-32894’

He said: ‘Apple has disclosed some pretty serious security vulnerabilities for iPhones, iPads and Macs that could potentially allow hackers to take complete control over these devices.

‘If exploited, attackers would be able to see your location, read messages, view contacts lists and potentially even access the microphone and camera – all the things you don’t want to have out there.

‘Everyone should err on the side of caution by updating their devices but those in the public eye such as activists, politicians and journalists should act quicker due to previously becoming targets of nation state spying.

‘Commercial spyware company NSO Group are very well known for locating and taking advantage of flaws in Apple’s iOS and then deploying malware to infect smartphones in order to steal data and surveil targets in real time.

‘It is better to be safe than sorry and so it is vital to update all devices immediately which doesn’t take long over Wi-Fi.’

The technical specifics of the two issues now fixed by Apple in iOS 15.6.1 are the vulnerability in the Kernel which was been tracked as ‘CVE-2022-32894’ and the flaw in WebKit, which was tracked as ‘CVE-2022-32893’.

Rachel Tobac, chief executive of SocialProof Security, said those who should be most aware of updating their software to protect against the ‘zero-day’ issues are activists who could be targeted by nation states.

Security researcher Sean Wright told Forbes that iOS 15.6.1 is an important update. He said it is possible the two issues ‘could be chained together to allow attackers to remotely gain full access to victims’ devices.’

Apple did not say in its reports how, where or by whom the vulnerabilities were discovered. In all cases, it cited an anonymous researcher. California-based security expert Will Strafach told how he had seen no technical analysis of the vulnerabilities that it has now patched.

The company has previously acknowledged similarly serious flaws and, in what Mr Strafach estimated to be perhaps a dozen occasions, has noted that it was aware of reports that such security holes had been exploited.

This is the screen you need to go to on an iPhone to download the required update to iOS 15.6.1

Customers queue to collect their pre-orders for new Apple products outside the store in Regent Street in September 2019

‘Apple is aware of a report that this issue may have been actively exploited,’ the Silicon Valley-based firm said. Apple would not say whether it had details regarding the extent to which the issue has been exploited.

Commercial spyware companies such as Israel’s NSO Group are known for identifying and taking advantage of such flaws, exploiting them in malware that surreptitiously infects targets’ smartphones, siphons their contents and surveils the targets in real time.

NSO Group has been blacklisted by the US Commerce Department. Its spyware is known to have been used in Europe, the Middle East, Africa and Latin America against dissidents and human rights activists.

The warning comes ahead of the imminent release of the iPhone 14, with Apple set to reveal its new product next month. A launch date has not yet been confirmed, but September 7 has been suggested by Bloomberg.

Apple has not yet commented about the vulnerabilities further than the security update issued on Wednesday.

How to protect yourself from the Apple security flaw affecting iPhones, iPads and Macs

Apple users have been told to update their software to block potential intrusion, after the tech giant discovered serious security vulnerabilities in its iPhones, iPads and Macs.

It said zero-day software flaws could potentially allow attackers to take complete control of these devices.

Cyber security experts warn hackers could track users’ location, read messages, view a person’s contacts list and even access their microphone and camera.

Here MailOnline answers all the key questions and tells you what you need to do to protect yourself.

What has happened?

Apple disclosed serious security vulnerabilities for iPhones, iPads and Macs that could potentially allow attackers to take complete control of these devices.

The company released two security reports about the issue on Wednesday, although these didn’t receive wide attention outside of tech publications.

Apple said the vulnerability meant a hacker could get ‘full admin access’ to the device.

That would allow intruders to impersonate the device’s owner and subsequently run any software in their name, according to Rachel Tobac, CEO of SocialProof Security.

Andy Norton, chief cyber risk officer at Armis, said: ‘This clearly has wide reaching implications.

‘Apple products have become a mainstay of everyday life, Facial recognition, banking apps, health data, pretty much everything we hold dear resides on our Apple products.

‘Historically, many people have not updated their Apple products for fear of shortening the life span of their devices, that behaviour now must change.’

Which devices are affected?

The two vulnerabilities were found in WebKit, the browser engine that powers Safari, and the kernel, which is the core of the operating system.

Security experts have advised users to update affected devices including the iPhone 6S and later models; several models of the iPad, including the 5th generation and later, all iPad Pro models and the iPad Air 2; and Mac computers running MacOS Monterey.

The flaw also affects some iPod models.

Who is at risk?

Apple did not say in the reports how, where or by whom the vulnerabilities were discovered. In all cases, it cited an anonymous researcher.

However, commercial spyware companies such as Israel’s NSO Group are known for identifying and taking advantage of such flaws, exploiting them in malware that surreptitiously infects targets’ smartphones, siphons their contents and surveils the targets in real time.

NSO Group has been blacklisted by the US Commerce Department. Its spyware is known to have been used in Europe, the Middle East, Africa and Latin America against journalists, dissidents and human rights activists.

Security researcher Will Strafach said he had seen no technical analysis of the vulnerabilities that Apple has just patched.

The company has previously acknowledged similarly serious flaws and, in what Strafach estimated to be perhaps a dozen occasions, has noted that it was aware of reports that such security holes had being exploited.

Those who should be particularly attentive to updating their software are ‘people who are in the public eye’ such as activists or journalists who might be the targets of sophisticated nation-state spying, Tobac said.

What would happen if the vulnerability was exploited?

In an update on its support page, Apple said one of the flaws mean a malicious application ‘may be able to execute arbitrary code with kernel privileges’.

This means an attacker who has gained access to an Apple device could potentially take over the entire operating system, thereby acquiring the sort of ‘administrative superpowers’ normally reserved for Apple itself.

This would allows them to change system security settings, take screenshots, find your location, use cameras on the device, copy text messages and track your browsing.

There’s also a remote code execution hole in Apple’s HTML rendering software (WebKit), which means a booby-trapped web page could trick iPhones, iPads and Macs into running unauthorised and untrusted software code.

Independent security researcher Sean Wright said the two vulnerabilities ‘could be chained together to allow attackers to remotely gain full access to victims’ devices.’

‘Apple has disclosed some pretty serious security vulnerabilities for iPhones, iPads and Macs that could potentially allow hackers to take complete control over these devices,’ Jake Moore, Global Cybersecurity Advisor at ESET Internet Security, told MailOnline.

‘It is better to be safe than sorry and so it is vital to update all devices immediately which doesn’t take long over Wi-Fi.’

How did Apple to discover the security flaw?

The company is yet to reveal how the bugs were found, other than to credit ‘an anonymous researcher’.

It also hasn’t said where in the world they have been used or who has been doing so and for what purpose.

Apple has only said: ‘For our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available.’

Brian Higgins, security specialist at Comparitech, said: ‘Apple usually rely on software updates to keep their platforms safe and hope that any “bugs” go largely unnoticed between releases.

‘It’s very rare for them to go public like this which means everyone should take this threat seriously and update as soon as they are able.’

What are zero-day exploits?

The two vulnerabilities patched by Apple on Wednesday represent the sixth and seventh ‘zero-day’ exploits that Apple has been forced to fix this year.

These are software vulnerabilities discovered by attackers before the vendor has become aware of it.

Because the vendors are unaware, it means that no patch exists for zero-day vulnerabilities, so attacks are more likely to succeed.

How can you protect yourself?

Cyber security experts have advised people to urgently update the devices affected.

To update your phone…

Go to Settings > General > Software Update.

To update your Mac…

Go to System Preferences > Software Update.

The update for iOS and iPadOS is version 15.6.1

For MacOS it is version 12.5.1

For tvOS it is version 15.6

For watchOS for Apple Watch Series 3 it is version 8.7.1

For watchOS for Apple Watch Series 4, 5, SE, 6, and 7 it is version 8.7

Apple says: ‘This update provides important security updates and is recommended for all users.’

The company has not given any further information on how many users are affected by the vulnerability.

Sam Curry, chief security officer at Cybereason, said: ‘Regardless of Apple’s recent disclosure of a serious vulnerability affecting millions of iPhones, iPads and Macs, it wouldn’t be prudent for anyone to panic.

‘While the vulnerability could allow threat actors to take full control of a device, stay calm and simply get control of your devices and download the software updates available from Apple. Do that and move on.

‘In a rare case, will we find out how threat actors were able to exploit the current vulnerabilities. Overall, follow Apple instructions if you think you are infected and consult your IT department at work, school, etc, as needed for more information.’

Source: Read Full Article