Apple users are once again urged to update their operating systems as soon as possible, following the discovery of two high-severity vulnerabilities. Kaspersky reported that iOS 16.4.1 and macOS 13.3.1, along with iOS 15 and macOS 11 and 12, contain the vulnerabilities.
According to the report, two high-severity vulnerabilities have been identified in Apple’s operating systems. The first vulnerability affects the WebKit engine, which serves as the foundation for the Safari web browser, and could allow malicious actors to run arbitrary code on a device if they access it via a website that they have created specifically for that purpose. The second vulnerability involves the IOSurfaceAccelerator object and could be used by attackers to execute programs with core permissions of the operating system, potentially allowing them to gain root privileges and compromise the security of users’ crypto assets.
Together, these vulnerabilities could allow attackers to “compromise the security of users’ crypto assets,” as noted in the report. The flaws can be found in a range of mobile operating systems, including iOS, iPadOS, and tvOS, as well as desktop operating systems such as macOS.
The first flaw is used first to breach the security of the device so that the second flaw can be used. The second vulnerability, on the other hand, grants the ability to ‘escape from the sandbox’ and do almost any action with an infected device.
Kaspersky report.
The impact of these vulnerabilities on crypto holders is particularly concerning, as they could potentially give attackers access to their digital assets. “Infection of an iOS device or Mac with a ‘zero-click’ exploit is feasible due to vulnerabilities in WebKit like the one detailed above,” notes the report. “Simply luring a person to a malicious website is enough to infect their device without requiring any action on their part.”
Apple has issued emergency updates to address the vulnerabilities in a range of systems, including macOS 11, 12, and 13, and iOS/iPadOS 15 and 16. While the WebKit engine is present across Apple’s mobile operating systems, it is important to note that any browser on iOS is effectively Safari, as it will use WebKit to render web pages. It is critical to keep Safari up-to-date, even if using a different browser, to prevent infection from a “zero-click” exploit, which can infect a device with malware simply by luring the user to a malicious website.
The discovery of these vulnerabilities highlights the need for constant vigilance when it comes to cybersecurity. Users must be diligent in updating their devices to protect themselves from the latest threats, especially as the metaverse and crypto sectors continue to grow. The repercussions of such vulnerabilities can be significant, including the potential loss of valuable assets and sensitive data. It is vital that users take steps to secure their devices and remain alert to potential threats.