Apple has announced the discovery of a serious security vulnerability for iPhones, iPads and Macs that could allow attackers to take full control of a victim’s devices.
The announcement came as Apple released a security update that would prevent the attack from happening.
To install this security update, you can go to the Settings app, then General, then Software Updates.
The latest version of iOS and iPadOS is 15.6.1, while macOS is 12.5.1.
How did the attack work?
According to Apple, the vulnerability could have been exploited by “processing web content”, meaning accessing a web page that contained malicious code.
Any attacker who knew the vulnerability – and how to exploit it – could, by directing a victim to such a web page, be able to execute any code they wanted on the victim’s device.
Normally, devices restrict the types of code that can run on them to users with particular privilege levels, but this vulnerability allowed code to run with kernel privileges.
The kernel is the main part of iOS. It has unrestricted access to all aspects of the operating system, meaning the attacker could have complete control over the victim’s device.
Who was using it to attack people?
Apple said it is aware of a report that the vulnerability may have been actively exploited.
However, the company did not provide any additional details.
What is the risk to the general public?
Within the cybersecurity world, the ability to execute code on a victim’s device just by having them open a web page is extremely rare and powerful.
As a simple matter of supply and demand, the exploit could have been bought for a lot of money, and if so, it would likely have been used to attack a high-value target.
Offensive cyber tools like exploits for serious vulnerabilities like this don’t last forever.
As soon as the vulnerability is discovered, the software vendor can begin developing a fix for it, and any attempt to exploit the vulnerability risks revealing its existence.
This limited time in which a vulnerability can be exploited also affects the dynamics of the market for selling, buying and using these tools.
All of this means that before Apple discovered the vulnerability, when it was a “zero-day” vulnerability because the vendor had zero days to develop the patch, it probably wouldn’t be used for general targeting.
However, now that the vulnerability is publicly known, it is possible for criminals to reverse engineer the security update and target members of the public who have not yet updated their devices.
That’s why it’s so important to install the latest security updates.
Who found this problem?
The researcher who reported the vulnerability chose to remain anonymous.
There could be a number of reasons for doing this, including simply that they didn’t want the attention the report would have brought.
It could also potentially be that the researcher works for a company or government organization that was targeted by this vulnerability.
If so, revealing that they knew about the attack – by attributing the disclosure to a name associated with the victim – could provide the attacker with some feedback about their offensive operation.
Read more: GCHQ reveals why it keeps some software vulnerabilities secret
Alternatively, it could be that the vulnerability was reported by a Western government with a vulnerability due diligence process, such as the UK’s National Cyber Security Centre, part of GCHQ.
Security and intelligence agencies may have felt the need to exploit the vulnerability, but after doing so chose to disclose it to Apple so it could be fixed.
There is no evidence for any of the above scenarios, they are provided as examples of the various reasons why the researcher may have chosen to remain anonymous.