Apple Patches Serious Security Flaws With iOS Update

Apple has warned about serious security flaws which hackers may have "actively exploited" and has released an urgent security update for its iPhone, iPad and Mac devices.

Users of these devices are advised to immediately install the software updates that include security patches to fix two zero-day vulnerabilities. 

The patches fix vulnerabilities that allow attackers to execute arbitrary code and take over devices. The flaws lie in the kernel and WebKit functions. 

The update has been made available to iPhone 6s and later, iPad Pro, iPad Air 2 and later and iPad 5th generation and later. It is also available to the iPad mini 4 and later versions and the iPod touch (7th generation). Mac users running macOS Monterey are also being encouraged to update. “For the protection of our customers, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are generally available. This document lists recent releases,” an Apple advisory notice said.

Software updates are an everyday aspect of our modern tech lives, but this is one update that should not be ignored.

  • One of the software weaknesses affects the kernel, the deepest layer of the operating system that all the devices have in common.
  • The other affects WebKit, the underlying technology of the Safari web browser and Apple said this could be used by hackers if the user accessed "maliciously-crafted web content". 

There have been no confirmed reports of specific cases where the security flaw has been used against people or devices, although there is suspicion that Apple is acting in response to widely reported use of spyware developed by Israel's NSOGroup.

For each of the bugs, the company said it was “aware of a report that this issue may have been actively exploited,” though it provided no further details although crediting an anonymous researcher for disclosing both software flaws.

Previous research has shown that even commercial spyware companies such as Israel's NSO Group are known for identifying and taking advantage of such flaws, exploiting them in malware that surreptitiously infects targets' smartphones, siphons their contents and spies target users in real time. 

Users should rightly be concerned about the potential power hackers could wield if they target a device that is vulnerable to this attack. While the most vulnerable to these problems are high profile targets like politicians and celebrities, everyone should update their iOS devices as soon as possible.

Apple:     Apple:      Macrumors:    Oodaloop:   Tomsguide:      CBS:   BBC:    Guardian:    Yahoo

You Might Also Read:

Spyware - Apple Starts Legal Action Against NSO Group:

 

« Blacklisted Israeli Spyware Firm CEO Quits
Digital Banking & Cyber Crime »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Association of Information Security Professionals (AISP)

Association of Information Security Professionals (AISP)

The Association of Information Security Professionals (AISP) represents the interests of information security professionals in Singapore.

KnowBe4

KnowBe4

KnowBe4 is an integrated platform for security awareness training combined with simulated phishing attacks.

Leibniz-Rechenzentrum (LRZ)

Leibniz-Rechenzentrum (LRZ)

The LRZ supports ground-breaking research and teaching in a wide range of scientific disciplines including information security and data protection.

ZyberSafe

ZyberSafe

ZyberSafe is an innovative Danish company specialized within building hardware encryption solutions.

Certego

Certego

Certego is a company of the VEM Sistemi Group specialised in providing managed computer security services and to combat Cyber Crime.

Norton

Norton

NortonLifeLock is dedicated to helping secure the devices, identities, online privacy, and home and family needs of approximately 50 million consumers.

360 Total Security

360 Total Security

360 company is the largest provider of Internet and mobile security products in China.

RedShield Security

RedShield Security

RedShield is the world's first web application shielding-with-a-service company.

Fedco International

Fedco International

Fedco International is an IT and SCADA ICS Security consultancy firm.

AEC

AEC

AEC is a provider of information security products and services including risk analysis, penetration testing and the implementation of security solutions.

OAS Chain

OAS Chain

OAS Blockchain Renaissance Project presents three platforms that address the major challenges of public blockchain, private blockchain, and IoT security.

astarios

astarios

astarios provide near-shore software development services including secure software development (DevSecOps), quality assurance and testing.

Tokio Marine HCC

Tokio Marine HCC

Tokio Marine HCC is a leading specialty insurance group with a Financial and Professional product line including Tech and Cyber.

Have I Been Pwned (HIBP)

Have I Been Pwned (HIBP)

Have I Been Pwned is a free resource for anyone to quickly assess if they may have been put at risk due to an online account of theirs having been compromised or "pwned" in a data breach.

Let's Encrypt

Let's Encrypt

Let’s Encrypt is a free, automated, and open digital certificate authority, run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

Nigerian Communications Commission (NCC)

Nigerian Communications Commission (NCC)

NCC has established a CSIRT for the telecommunication industry to provide services and support for the prevention and management of potential cyber security related emergencies.