With an urgent drive to safeguard its users, Apple has launched a slew of updates to mend multiple security vulnerabilities that affect its wide-ranging product lineup, including iPhones, iPads, macOS computers, as well as Apple TV and watches. Alarmingly, it appears some of these flaws have been exploited already.
Security updates rundown
Late on Monday, Apple released a substantial list of security updates:
- Safari 16.6
- iOS 16.6 and iPadOS 16.6
- iOS 15.7.8 and iPadOS 15.7.8
- macOS Ventura 13.5
- macOS Monterey 12.6.8
- macOS Big Sur 11.7.9
- tvOS 16.6
- watchOS 9.6
Tuesday saw the US government’s Cybersecurity and Infrastructure Security Agency (CISA) amplifying the urgency, warning of the potential for attackers to seize control of vulnerable devices. It strongly advised users to implement the software updates and ensure automatic patching systems function correctly.
Bugs under scrutiny
A particularly concerning bug, CVE-2023-32409, is found within Apple’s WebKit browser engine, impacting several iPhone models, iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation). The security lab at Amnesty International and Google’s Threat Analysis Group discovered this bug.
According to Apple’s advisory, a remote attacker could break out of the Web Content sandbox. They acknowledge active exploitation of this issue but keep the specifics under wraps. The potential for deploying spyware on victims’ devices seems highly plausible.
Kernel-level vulnerabilities
Apple’s current security patch batch also addresses a kernel-level flaw, CVE-2023-38606, impacting the same set of devices. Indications are that this bug has been actively exploited. Apple gives credit to Kaspersky researchers for this discovery, believed to be similar to the kernel vulnerability associated with TriangleDB spyware.
Additional vulnerabilities
Another significant vulnerability, CVE-2023-37450, linked to WebKit, affects tvOS 16, watchOS 9.6, macOS Ventura, iOS 16, and iPadOS 16. This flaw, likely exploited before Apple’s patches, is triggered by processing web content, leading potentially to arbitrary code execution.
Apple has previously addressed this issue in certain iPhones and iPads with their new “rapid security response” in iOS 16.5.1 (c) and iPadOS 16.5.1 (c). These patches are designed for immediate device protection, bypassing the usual system update cycle that users may postpone or miss.
We are eager to hear from our esteemed readers. What do you make of these security concerns and Apple’s response? Share your thoughts with us in the comment section below!
{{user}} {{datetime}}
{{text}}