Apple has announced the discovery of a serious security vulnerability for iPhones, iPads and Macs which could potentially allow attackers to take complete control of a victim’s devices.
Fortunately the announcement came as Apple released a security update that would prevent the attack from taking place.
To install this security update, you can go to the Settings App, then General, then Software Updates.
The latest version of iOS and iPadOS is 15.6.1, while macOS is on 12.5.1.
How did the attack work?
According to Apple the vulnerability could have been exploited by “processing web content”, meaning accessing a web page which contained malicious code.
Any attackers that knew about the vulnerability – and how to exploit it – could, by directing a victim to such a web page, be able to execute any code they wanted on the victim’s device.
Usually devices restrict the kinds of code that can be run on them to users with particular levels of privileges – but this vulnerability allowed the code to be executed with kernel privilege.
The kernel is the core part of iOS. It has unrestricted access to all aspects of the operating system – meaning the attacker could have complete control over the victim’s device.
Who was using it to attack people?
Apple said it is aware of a report that the vulnerability may have been actively exploited.
However the company did not offer any additional details.
What is the risk to the general public?
Within the cyber security world, the ability to execute code on a victim’s device just by making them open a web page is extremely rare and powerful.
As a simple matter of supply and demand, the exploit could have been purchased for a lot of money – and if so, then it would likely have been used to attack a high-value target.
Offensive cyber tools like exploits for serious vulnerabilities like this don’t last forever.
As soon as the vulnerability is discovered then the software vendor can begin developing a fix for it – and any attempt to exploit the vulnerability risks revealing that it exists.
This limited time in which a vulnerability can be exploited also impacts the market dynamics for selling, purchasing and using such tools.
All of this means that before the vulnerability was discovered by Apple – when it was a “zero day” vulnerability because the vendor had zero days to develop the patch – it would likely not be used for general targeting.
However now that the vulnerability is publicly known, it could be that criminals reverse engineer the security update and target members of the public who haven’t yet updated their devices.
This is why it is so important to install the latest security updates.
Who found this issue?
The researcher who reported the vulnerability chose to remain anonymous.
There could be a number of reasons for them doing so, including simply that they didn’t want the attention that the report would have brought them.
Potentially it could also be that the researcher works for a company or government organisation that was targeted through this vulnerability.
If so, revealing that they knew about the attack – by attributing the disclosure to a name associated with the victim – could provide the attacker with some feedback about their offensive operation.
Read more: GCHQ reveals why it keeps some software vulnerabilities secret
Alternatively, it could be that the vulnerability was reported by a Western government with a vulnerabilities equity process, such as the UK’s National Cyber Security Centre, a part of GCHQ.
It may have been that the security and intelligence agencies had a need to exploit the vulnerability, but having done so chose to disclose it to Apple so that it could be fixed.
There is no evidence for any of the above scenarios, they are provided as some examples of the different reasons the researcher may have chosen to remain anonymous.