Apple users have been advised to immediately update their iPhones, iPads and Macs to protect against a pair of security vulnerabilities that can allow attackers to take complete control of their devices.
In both cases, Apple said, there are credible reports that hackers are already abusing the vulnerabilities to attack users.
One of the software weaknesses affects the kernel, the deepest layer of the operating system that all the devices have in common, Apple said. The other affects WebKit, the underlying technology of the Safari web browser.
For each of the bugs, the company said it was “aware of a report that this issue may have been actively exploited,” though it provided no further details. It credited an anonymous researcher or researchers for disclosing both.
Anyone with an iPhone released since 2015, an iPad released since 2014 or a Mac running macOS Monterey can download the update by opening up the settings menu on their mobile device, or choosing “software update” on the “about this Mac” menu on their computer.
Rachel Tobac, the CEO of SocialProof Security, said Apple’s explanation of the vulnerability meant a hacker could get “full admin access to the device” so that they can “execute any code as if they are you, the user”.
Those who should be particularly attentive to updating their software are “people who are in the public eye”, such as activists or journalists who might be the targets of sophisticated nation-state spying, Tobac said.
Until the fix was released on Wednesday, the vulnerabilities will have been classed as “zero-day” bugs, because there has been a fix available for them for zero days. Such weaknesses are hugely valuable on the open market, where cyberweapon brokers will buy them for hundreds of thousands, or millions, of dollars.
The broker Zerodium, for instance, will pay “up to $500,000” for a security weakness that can be used to hack a user through Safari, and up to $2m for a fully developed piece of malware that can hack an iPhone without a user needing to click on anything. The company says its customers for such weaknesses are “government institutions (mainly from Europe and North America)”.
Commercial spyware companies such as Israel’s NSO Group are known for identifying and taking advantage of such flaws, exploiting them in malware that surreptitiously infects targets’ smartphones, siphons their contents and surveils the targets in real time.
NSO Group has been blacklisted by the US commerce department. Its spyware is known to have been used in Europe, the Middle East, Africa and Latin America against journalists, dissidents and human rights activists.
Will Strafach, a security researcher, said he had seen no technical analysis of the vulnerabilities that Apple has just patched. The company has previously acknowledged similarly serious flaws and, on what Strafach estimated to be perhaps a dozen occasions, has noted that it was aware of reports that such security holes had been exploited.
