Apple on Thursday Apple has released urgent security updates for iPhone, iPad, Mac, Apple Watch, and Safari users to patch three vulnerabilities that Apple says are being actively exploited.
The three vulnerabilities include a flaw in WebKit, the browser engine that powers Safari; A certificate validation error could allow a malicious application to run on an affected device; The third bug can be used to gain wider access to the kernel, the core of the operating system. These three vulnerabilities form part of an exploit chain, where the bugs are used together to gain access to the target’s device.
The bug fixes come just days after the release of iOS 17, which includes a host of new security and privacy features aimed at reducing the risk of cyberattacks, such as spyware.
For its part, Apple said it is only aware of an active exploit targeting users using iOS 16.7 and earlier. Apple has brought the bug back to iOS 16.7, as well as earlier versions of macOS Ventura, Monterey, and watchOS.
the Errors detected Written by Maddy Stone, a researcher in Google’s Threat Analysis Group, which investigates state-backed threats, and Citizen Lab’s Bill Marczak. And in the blog posts published on Friday, both Google And Citizen Lab Apple confirmed that its latest updates were aimed at preventing the exploitation of the Predator spyware on the phone of an Egyptian presidential candidate.
Predator is spyware developed by Cytrox, a subsidiary of Intellexa, that can steal the contents of a person’s phone when planted, often via fake text messages that point to malicious websites. Both Cytrox and Intellexa were added to the US government’s objectionable list earlier this year, effectively banning US companies from doing business with them.
This is the second high-profile security update released by Apple this month. Earlier in September, Citizen Lab said it had discovered evidence of a zero-click vulnerability on a fully updated (at the time) iPhone to implant Pegasus spyware, developed by NSO Group. The target was a person working for an unnamed organization based in Washington.
The vulnerability was used as part of an exploit series by Citizen Lab His name is BlastPassBecause it includes PassKit, a framework that allows developers to embed Apple Pay into their apps.
Marczak, who was speaking at TechCrunch Disrupt on Thursday, said that this vulnerability resulted from a failed attempt to hack into the US-based victim’s device.
“Because this attempt failed, remnants of the zero-click exploit remained on the phone,” Marczak said. “In this case, the origin of the vulnerability was a bug in the Google WebP photo library, which is built into the iPhone. Attackers found some way to exploit this to run arbitrary code inside Apple’s iMessage sandbox to install spyware on the system.”
Update your devices today.