Apple Warns of Critical Security Risk in Safari For iPhones, iPads and Macs

Written by

Apple has released updates to fix security flaws across iPhone, iPad and Mac devices, after admitting the vulnerabilities may have been "actively exploited" by threat actors.

The vulnerability reportedly gave hackers the ability to infiltrate WebKit, the engine that powers the Apple web browser Safari. Once gained the initial foothold, threat actors could then take control of a device's operating system (OS) to "execute arbitrary code" and potentially infiltrate devices through "maliciously crafted web content."

In terms of affected devices, Apple mentioned iPhones dating back to the 6S model, iPad 5th generation and later, iPad Air 2 and later, iPad mini 4 and later, all iPad Pro models, and the 7th generation iPod touch.

Mac computers running the company's Monterey OS were also affected, alongside Apple's Safari browser on its Big Sur and Catalina OS.

The company released the patches for the flaws between Wednesday and Friday, which are now listed on Apple’s security updates webpage.

“Apple has released security updates to address vulnerabilities in macOS Monterey, iOS and iPadOS, and Safari,” wrote the Cybersecurity and Infrastructure Security Agency (CISA) in an advisory on Thursday. 

“CISA encourages users and administrators to review the Apple security updates page for the following products and apply the necessary updates as soon as possible.”

The point was also echoed by SocialProof Security CEO Rachel Tobac on Twitter on Thursday.

“Apple found two 0-days actively in use that could effectively give attackers full access to a device,” she wrote. “For most folks: update the software by end of the day. If the threat model is elevated (journalist, activist, targeted by nation states, etc): update now.”

Despite releasing patches for the vulnerability, however, the iPhone maker did not mention how, where or by whom the vulnerabilities were discovered, citing an anonymous researcher.

The news comes weeks after Apple first announced a new set of iPhone features called 'Lockdown Mode.'

Commenting on the story, Muhammad Yahya Patel, security evangelist at Check Point, said: “We urge everyone with an affected Apple device to update to the latest software as soon as possible. Cyber-criminals will be on the lookout for any device that hasn’t updated the software in order to access personal information, inject malware or get access to corporate networks. Apple has stated this vulnerability may have been exploited against users already. The threat landscape is evolving rapidly, and mobile vulnerabilities and malware are a significant, and often overlooked, danger for both personal and enterprise security."

What’s hot on Infosecurity Magazine?