*Cybersecurity experts urge Apple customers to follow the company鈥檚 patch instructions immediately, as a cybercriminal could implant malware on their devices even if all they did was to view an otherwise innocent Web page

Gbenga Kayode | 绿帽献妻

Global technology giant Apple has put out an emergency security update to patch two zero-day exploits, which reportedly were previously unidentified gaps in its defences that threat actors could use to hijack devices and plant malware on them.

绿帽献妻 learnt the notification was highlighted by Naked Security, the research wing of Sophos cybersecurity firm, which claims both exploits are actively being used by threat actors.

The first exploit, categorised as CVE-20220-32893, was detected in Apple鈥檚 HTML-rendering software WebKit, which underpins all of the technology giant鈥檚 devices, report said.

Subsequently, Naked Security explained that the bug could be used to fool iPhones, iPads, and Macs into running unauthorised malicious software from 鈥渁 booby-trapped Web page,鈥� CyberNews report said.

The cybersecurity company stated: 鈥淪imply put, a cybercriminal could implant malware on your device even if all you did was to view an otherwise innocent Web page,鈥� it said.

Naked Security also warned that simply steering clear of Apple鈥檚 in-house Safari browser would not guarantee user safety because the company鈥檚 usage terms state that iOS devices must base their browsing functionality on WebKit even if they use other providers such as Google Chrome, Mozilla Firefox, and Microsoft Edge.

Similarly, because Mac and iDevice apps are highly likely to use Apple鈥檚 WebView system 鈥� itself derived from Webkit 鈥� their users are also vulnerable to the exploit.

Naked Security also said: 鈥淐VE-2022-32893, therefore, potentially affects many more apps and system components than just Apple鈥檚 own browser, so simply steering clear of Safari can鈥檛 be considered a workaround, even on Macs where non-WebKit browsers are allowed.鈥�

A case of from 鈥榖ad to worse鈥�

The second bug, classified as CVE-2022-32894, uses the foothold established by the first exploit to jump from having control of a single app to taking over the infected device鈥檚 entire operating system, thus acquiring 鈥渁dministrative superpowers鈥� normally only reserved for Apple staff.

Naked Security believes this 鈥渁lmost certainly鈥� would allow a threat actor to spy on, download, and take over apps on the target device, as well as change its system security settings and access most of the data held on it.

Furthermore, a cybercriminal could use the exploit to take screenshots on the target device, track its browsing history and retrieve its location, copy text messages, and access its camera and microphone.

The experts further observed that 鈥淎pple hasn鈥檛 said how these bugs were found 鈥� other than to credit 鈥榓n anonymous researcher鈥� 鈥� where in the world they鈥檝e been exploited, and who鈥檚 using them or for what purpose.鈥�

Urging Apple customers to follow the company鈥檚 patch instructions immediately, the research firm warned that left unchecked, the exploits could provide 鈥渁ll the functionality needed to mount a device jailbreak, deliberately bypassing almost all Apple-imposed security restrictions, or install background spyware and keep you under comprehensive surveillance.鈥�

Kindly Share This Story