Apple released urgent security updates this week to address zero-day vulnerabilities in older iPhone, iPad, and iPod models.
The patches, released Wednesday, address an out-of-bounds write issue that could be exploited by an attacker allowing them to take control of the affected device. The US Cyber Security and Infrastructure Agency (CISA) today encouraged users and IT administrators to review Apple Advisory HT213428 and apply any necessary updates.
Apple did not immediately respond to a request for comment on whether the vulnerabilities had been brought to its attention through active exploits, but its security update said: "Apple is aware of a report that this issue may have been actively exploited."
Software vulnerabilities are listed in the Common Vulnerabilities and Exposures (CVE) database, a system funded by a division of the US Department of Homeland Security (DHS) to ensure public disclosure of security vulnerabilities and exposures .
“The problem is that if a web page is built in a certain way, it can cause code to be executed on the device outside of normal containment and effectively create a malware situation on the device that could compromise data, contacts, location, insert malicious software. items etc said Jack Gold, principal analyst at J. Gold Associates, LLC.
"So that's a big problem," he added.
The vulnerabilities affect iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation), and computers running earlier versions of macOS.
The fact that the problem affects this group of older devices, not newer models, means there are relatively few devices at risk, Gold said. Still, he told her, anyone with one of the older devices should upgrade as soon as possible.
While a proposed patch for older devices may seem inconsequential, cybercriminals are especially fond of older, unpatched technologies, especially if the vulnerability gives them full control and the ability to access other systems and services.
"An attacker could lure a potential victim to a specially crafted website or use malvertising to compromise a vulnerable system by exploiting this vulnerability," Malwarebytes said in a blog post today. “Since the vulnerability exists in Apple's HTML rendering software (WebKit). WebKit works with all iOS and Safari web browsers, so possible targets are iPhones, iPads, and Macs, which could be tricked into executing unauthorized code.
The issue is resolved in iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1. Apple encourages users to update to the latest versions of its software.
Copyright © 2022 IDG Communications, Inc.