Apple users have been instructed to update their software to block potential intruders after the tech giant discovered serious security flaws in its iPhones, iPads and Macs.
Zero-day software bugs could potentially allow attackers to take complete control of these devices.
Cybersecurity experts warn that hackers could track users’ location, read messages, view a person’s contact list, and even access their microphone and camera.
Here, Web answers all the important questions and tells you what you need to do to protect yourself.
What happened?
Apple has disclosed serious security vulnerabilities for iPhones, iPads and Macs that could potentially allow attackers to take complete control of these devices.
The company released two security reports on the issue on Wednesday, although these didn’t get much attention outside of the technical publications.
Apple said the vulnerability means a hacker could gain “full administrative access” to the device.
According to Rachel Tobac, CEO of SocialProof Security, an intruder could use it to impersonate the device’s owner and then run arbitrary software in their name.
Andy Norton, Chief Cyber Risk Officer at Armis, said: “Clearly, this has far-reaching implications.
“Apple products have become an integral part of everyday life, facial recognition, banking apps, health data, pretty much everything we care about is on our Apple products.
“In the past, many people have not updated their Apple products for fear of shortening the lifespan of their devices, this behavior must change now.”
Which devices are affected?
The two vulnerabilities were found in WebKit, the browser engine that powers Safari, and in the kernel, the core of the operating system.
Security experts have advised users to update affected devices, including the iPhone 6S and newer models; multiple models of iPad, including 5th generation and later, all iPad Pro models, and the iPad Air 2; and Mac computers running MacOS Monterey.
The bug also affects some iPod models.
Apple announced on Wednesday that they had discovered vulnerabilities in their iPhones, Macs, iPads and watches
Who is at risk?
Apple did not say in the reports how, where, or by whom the vulnerabilities were discovered. In all cases, an anonymous researcher was quoted.
However, commercial spyware companies such as Israel’s NSO Group are known to identify and exploit such vulnerabilities by exploiting them in malware that stealthily infects target individuals’ smartphones, siphons their content and monitors targets in real-time.
NSO Group has been blacklisted by the US Department of Commerce. Its spyware is known to have been used against journalists, dissidents and human rights activists in Europe, the Middle East, Africa and Latin America.
Security researcher Will Straach said he didn’t see a technical analysis of the vulnerabilities that Apple just patched.
The company has previously acknowledged similarly serious shortcomings, and noted what Straach estimated at perhaps a dozen times, that it was aware of reports that such vulnerabilities were being exploited.
Those who should be particularly vigilant when updating their software are “in the public eye,” such as activists or journalists, who could be the target of sophisticated nation-state espionage, Tobac said.
What would happen if the vulnerability were exploited?
In an update on its support page, Apple said one of the bugs means a malicious application “may be able to run arbitrary code with kernel privileges.”
This means that an attacker who gained access to an Apple device could potentially take over the entire operating system, acquiring the sort of “administrative superpowers” normally reserved for Apple itself.
This would allow them to change system security settings, take screenshots, find your location, use on-device cameras, copy text messages, and track your browsing.
There is also a remote code execution vulnerability in Apple’s HTML rendering software (WebKit), meaning a booby-trapped webpage could trick iPhones, iPads, and Macs into running unauthorized and untrusted software code.
Independent security researcher Sean Wright said the two vulnerabilities “could be chained together to allow attackers to remotely gain full access to victims’ devices.”
In an update on its support page, Apple said one of the bugs means a malicious application “may be able to run arbitrary code with kernel privileges” – which has been described as having full access to the device
“Apple has disclosed some pretty serious security vulnerabilities for iPhones, iPads and Macs that could potentially allow hackers to take complete control of these devices,” Jake Moore, Global Cybersecurity Advisor at ESET Internet Security, told Web.
“If exploited, attackers could see your location, read messages, view contact lists, and possibly even access the microphone and camera — all the things you don’t want out there.
“Everyone should play it safe by updating their devices, but those in the public eye, such as activists, politicians and journalists, should act faster as they have previously become targets of nation-state espionage.
“Commercial spyware company NSO Group is well known for locating and exploiting flaws in Apple’s iOS, and then using malware to infect smartphones to steal data and monitor targets in real-time.
“It’s better to be safe than sorry, so it’s important to update all devices immediately, which doesn’t take long over Wi-Fi.”
How did Apple discover the vulnerability?
The company has yet to disclose how the flaws were found, other than attributing it to “an anonymous researcher.”
Nor was it said where in the world they were used or who did it and for what purpose.
Apple simply said, “To protect our customers, Apple does not disclose, discuss, or confirm any security issues until an investigation has been conducted and patches or releases are available.”
Brian Higgins, security specialist at Comparitech, said: “Apple typically relies on software updates to keep its platforms secure and hopes that any ‘bugs’ between releases will go largely unnoticed.
“It is very rare for them to go public like this, which means everyone should take this threat seriously and update as soon as they are able.”
What are zero-day exploits?
The two vulnerabilities that Apple patched on Wednesday represent the sixth and seventh “zero-day” exploits Apple has had to fix this year.
These are software vulnerabilities that are discovered by attackers before the provider is aware of them.
Not knowing this from vendors means there is no patch for zero-day vulnerabilities, making attacks more likely to succeed.
How can you protect yourself?
Cyber security experts have advised people to update the affected devices urgently.
To update your phone…
Go to Settings > General > Software Update.
To update your Mac…
Go to System Preferences > Software Update.
Cyber security experts have advised people to update the affected devices urgently
The update for iOS and iPadOS is version 15.6.1
For MacOS it is version 12.5.1
For tvOS it is version 15.6
For watchOS for Apple Watch Series 3, it is version 8.7.1
For watchOS for Apple Watch Series 4, 5, SE, 6 and 7, it is version 8.7
Apple says, “This update provides important security updates and is recommended for all users.”
The company did not provide any further information on how many users were affected by the vulnerability.
Sam Curry, Chief Security Officer at Cybereason, said: “Regardless of Apple’s recent disclosure of a serious vulnerability affecting millions of iPhones, iPads and Macs, there would be no need to panic.
“While the vulnerability could allow attackers to take full control of a device, remain calm and simply take control of your devices and download software updates available from Apple. Do that and move on.
“In a rare instance, we will find out how threat actors were able to exploit the current vulnerabilities. Overall, if you think you may be infected, follow Apple’s instructions and contact your IT department at work, school, etc. for more information if necessary.’