Apple reveals security vulnerabilities affecting iPhones and iPads
Apple users were today urged to update their devices after the firm disclosed serious security vulnerabilities for iPhones, iPads and Macs that could potentially allow attackers to take complete control of these devices.
The US company said it is ‘aware of a report that this issue may have been actively exploited’ and released two security reports about the issue on Wednesday, but they have only now received more widespread attention.
Security experts told users to update affected devices – the iPhone 6S and later models; and several models of the iPad, including the 5th generation and later, all iPad Pros, the iPad Mini 4 and later and the iPad Air 2 and later.
Mac computers on MacOS Monterey and the iPod Touch 7th generation are also affected. The two issues were found in WebKit, the browser engine that powers Safari, and the Kernel, which is the core of the operating system.
In an update on its support page, Apple said one of the flaws means a malicious application ‘may be able to execute arbitrary code with Kernel privileges’ – which has been described as meaning full access to the device.
Apple chief executive Tim Cook holds the iPhone 13 Pro Max and Apple Watch 7 in Cupertino, California, last September
Apple released two security reports about the issue on Wednesday, and they have now received more widespread attention
The two vulnerability issues now fixed by Apple in iOS 15.6.1 are a vulnerability in the iPhone Kernel and the flaw in WebKit
Apple’s explanation of the vulnerability means a hacker could get ‘full admin access’ to the device, which would allow intruders to impersonate the device’s owner and subsequently run any software in their name.
Jake Moore, Dorset-based global cybersecurity advisor at ESET Internet Security explained to MailOnline today how the vulnerabilities could potentially allow hackers to take complete control of devices.
He said: ‘If exploited, attackers would be able to see your location, read messages, view contacts lists and potentially even access the microphone and camera – all the things you don’t want to have out there.’
The technical specifics of the two issues now fixed by Apple in iOS 15.6.1 are the vulnerability in the Kernel which was been tracked as ‘CVE-2022-32894’ and the flaw in WebKit, which was tracked as ‘CVE-2022-32893’.
Rachel Tobac, chief executive of SocialProof Security, said those who should be most aware of updating their software to protect against the ‘zero-day’ issues are activists who could be targeted by nation states.
Security researcher Sean Wright told Forbes that iOS 15.6.1 is an important update. He said it is possible the two issues ‘could be chained together to allow attackers to remotely gain full access to victims’ devices.’
Apple did not say in its reports how, where or by whom the vulnerabilities were discovered, and security researcher Will Strafach said he had seen no technical analysis of the vulnerabilities that it has now patched.
The company has previously acknowledged similarly serious flaws and, in what Mr Strafach estimated to be perhaps a dozen occasions, has noted that it was aware of reports that such security holes had been exploited.
‘Apple is aware of a report that this issue may have been actively exploited,’ the Silicon Valley-based firm said. Apple would not say whether it had details regarding the extent to which the issue has been exploited.
The warning comes ahead of the imminent release of the iPhone 14, with Apple set to reveal its new product next month. A launch date has not yet been confirmed, but September 7 has been suggested by Bloomberg.
Apple has not yet commented about the vulnerabilities further than the security update issued on Wednesday.
This is the screen you need to go to on an iPhone to download the required update to iOS 15.6.1
