Posted on August 23, 2022 at 6:08 AM
Two vulnerabilities recently discovered by an anonymous researcher have been patched by Apple. The tech giant has advised users to apply updates to their iPads, iPhones, and Macs to guide their devices against the pair of security flaws. Before the update, the vulnerabilities enable threat actors to gain control the Apple devices without many technicalities from the hackers. . According to Apple, the threat actors are already abusing the flaws to attack uses
One of the vulnerabilities in the software affects the kernel, the innermost layer of the operating system that is found on all devices. The second part impacts WebKit, which is Safari’s web browser’s underlying technology.
Apple Did Not Provide Additional Details About The Vulnerability
The firm explained that it is not aware of whether the vulnerability has been actively exploited. Apple did not provide further details about the situation but credited an anonymous researcher for the discovery of both flaws.
Users with iPad released in 2014, iPhones released in 2015, or Mac running macOS Monterey can download the update to protect their devices. They can go to the “software update” section of the device to download and apply the update on their device or computer.
Chief Executive Officer of SocialProof Security, Rachel Tobac, commented on the issue. She stated that Apple’s explanation of the bug means that a threat actor can get “full admin access to the device” and use it to execute codes as if they were the user.
Journalists And Activists Are Most Targeted
Tobac noted that those who are always in the public eye are the most targeted People with a long of followers on any social media platform are most targeted since their accounts can be used for all sorts of activities. Also, journalists and activists are targets of sophisticated nation-state spying.
The patch was only recently released, which means the flaws were classed as “zero-day” vulnerabilities. These types of weaknesses are highly valuable on the open market, where dark net brokers are available to buy them for hundreds of thousands. Once they get hold of the details, they can use them to compromise other highly sensitive platforms for financial gains.
For instance, the broker Zerodium can pay up to $500,000 to gain a security flaw that can be used to hack users via Safari. They can also cough out up to $2 million for a fully developed software piece that can be used to hack an iPhone without the user required to click anything. The firm noted that customers for such flaws are “government institutions, especially those from North America and Europe.
Technical Analysis Of The Vulnerabilities Do Not Exist
Commercial Spyware firms like Israel’s NSO Group are known to identify and take advantage of such vulnerabilities. They can exploit them in malware that secretively infects targets’ smartphones.
The US commerce department has already blacklisted the NSO Group. Its spyware has been discovered in the wild across several regions, including Latin America, the Middle East, Europe, and Africa. They usually target popular figures, human rights activists, dissidents, and journalists.
Cybersecurity researcher, Will Srafach, stated that he had not seen any technical analysis of the flaws that Apple had recently patched. Apple had previously revealed the existence of the vulnerability on what Strafash estimated to be seemingly on dozens of occasions. But non of the vulnerabilities have been analyzed technically. He added that Apple also revealed in reports that some of the security flaws had been exploited.
Apple’s reports are not detailed enough, according to the report. It doesn’t explain in detail how and where the flaw comes from or how it works. Additionally, it cited an anonymous researcher for the discovery of the bugs, which does not give any info on the discovery process.
Also, Apple didn’t mention how many users were affected by the vulnerability and said it is not aware of a previous report that the flaws may have been exploited before they were fixed.
The good news is the fact that patches are now available for both vulnerabilities. As a result, users have been advised to update their Mac and iOS devices to protect their systems against the exploit of the flaws. But with the increased level of attacks on devices, there is more chance that threat actors will still look for more ways to exploit vulnerabilities and target users.