A U.S. Department of Homeland Security agency issued an alert to Apple product users this week due to a security vulnerability for iPhones, iPads, and MacOS devices as Apple announced it was releasing security updates for those flaws.
The threat was substantial enough to draw an alert from the DHS’s Cybersecurity and Infrastructure Security Agency (CISA), which issued a statement on Feb. 14. Apple’s updates include iOS 16.3.1, iPadOS 16.3.1, and macOS’s Ventura 13.2.1, while the firm is rolling out Safari 16.3.1 to older Apple operating systems—including macOS Big Sur and macOS Monterey.
“Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit these vulnerabilities to take control of an affected device,” said the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in a statement on Feb. 14.
CISA’s bulletin advises users and administrators “to review the Apple security updates page for the following products and apply the necessary updates as soon as possible.”
That includes updates for Safari 16.3.1, iOS 16.3.1 and iPadOS 16.3.1, and macOS 13.2.1, according to the notice. On Apple’s website, the bugfix is being rolled out because “an app may be able to execute arbitrary code with kernel privileges,” and another allows for “processing maliciously crafted web content may lead to arbitrary code execution.
For the second bug, or CVE-2023-23529, Apple said it is “aware of a report that this issue may have been actively exploited.”
Scott Radcliffe, a spokesperson for Apple, told tech website Endgadget that it does not have more details on the exploits that were mentioned in the security updates. The Epoch Times has contacted the Cupertino, California-based firm for comment.
Security research firm Sophos provided more details about the security update on Tuesday, saying that users should update as soon as possible. The security flaws are described as a “zero-day spyware implant bug,” meaning that it was a previously unknown vulnerability that could be actively exploited.
“Just looking at a website, which ought to be harmless, or opening an app that relies on web-based content for any of its pages (for example its splash screen or its help system), could be enough to infect your device,” it says about one of the exploits.
“Remember also that on Apple’s mobile devices, even non-Apple browsers such as Firefox, Chrome, and Edge are compelled by Apple’s AppStore rules to stick to WebKit,” the website says. “If you install Firefox (which has its own browser ‘engine’ called Gecko) or Edge (based on a underlying layer called Blink) on your Mac, those alternative browsers don’t use WebKit under the hood, and therefore won’t be vulnerable to WebKit bugs,” it noted.
How to Update
Generally, Apple users have automatic updates turned on. However, if that’s not the case, a user can go to the Apple menu, then click “About this Mac,” and click “Software Update.”
On iPad, iPhone, or another iDevice, they can go to “Settings,” then “General,” then “Software Update.”
“If your Apple product isn’t on the list, notably if you’re stuck back on iOS 15 or iOS 12, there’s nothing you can do right now, but we suggest keeping an eye on Apple’s HT201222 page in case your product is affected and does get an update in the next few days,” Sophos notes.
From The Epoch Times