‘A cyber threat actor could exploit some of these vulnerabilities to take control,’ said the U.S. Cybersecurity & Infrastructure Security Agency.
A U.S. agency issued an advisory to millions of Apple iPhone and iPad users to update their products as soon as possible due to a security issue.
In a bulletin released on Jan. 23, the U.S. Cybersecurity & Infrastructure Security Agency (CISA), an arm of the Department of Homeland Security, advised users and administrators to review and apply the update.
“Apple has released security updates for iOS and iPadOS, macOS, Safari, watchOS, and tvOS. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system,” said the agency. It then recommended the update.
It came this week after Apple released iOS 17.3 with a warning to update iPhones and other devices due to security fixes that are currently being targeted by malign actors.
As usual, Apple provided few details about the fixes in the latest update, which applies to iPhones and iPads. But one of the issues that was fixed, known as CVE-2024-23222, was a vulnerability in WebKit, which runs the Safari browser, that could allow an actor to execute code on a device.
“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited,” the Cupertino-based tech giant said on Jan. 22.
Several other bugs that impact WebKit, Safari, reset services, mail, kernel (the core of an operating system), and more were fixed in the update, according to Apple’s support page.
Two WebKit issues also could lead to remote code execution, while the kernel problem could allow an attacker to execute code through an app, it said.
“For our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page,” the company said.
The fixes target devices that use these Apple operating systems and programs: iOS 17.3 and iPadOS 17.3, iOS 16.7.5 and iPadOS 16.7.5, iOS 15.8.1 and iPadOS 15.8.1, macOS Sonoma 14.3, macOS Ventura 13.6.4, macOS Monterey 12.7.3, Safari 17.3, watchOS 10.3, and tvOS 17.3.
Sean Wright, head of application security at Featurespace, told Forbes magazine that the kernel-based issue could be “chained with the WebKit vulnerabilities,” allowing a malign actor to take over a device remotely.
Separate Security Updates
Other than the bug fixes, the update will add Apple Music features that have been tested since late last year. It also added a “stolen device protection” service that can provide a new “layer of security” for accounts connected to a device.
“When Stolen Device Protection is enabled, some features and actions have additional security requirements when your iPhone is away from familiar locations such as home or work.
“These requirements help prevent someone who has stolen your device and knows your passcode from making critical changes to your account or device,” Apple’s website says.
“In the rare cases where a thief can observe the user entering the passcode and then steal the device, stolen device protection adds a sophisticated new layer of protection,” Apple also said when the beta was released last month.
That feature may have been in response to several Wall Street Journal articles that detailed iPhone users who had their “entire digital life” stolen by criminals and who said they were locked out of their Apple accounts after their devices were stolen.
Some also claimed to have been victims of financial crimes, detailing how their entire bank accounts were wiped out, had significant Apple Pay purchases, and more.
Another Journal article said that users should attempt to cover their iPhones in public when accessing passwords or passcodes, saying that some criminals may attempt to memorize them to get inside the devices at a later time, potentially compromising their Apple Pay and Apple accounts.
An Apple spokesperson told MacRumors at the time that “security researchers agree that iPhone is the most secure consumer mobile device, and we work tirelessly every day to protect all our users from new and emerging threats” and that “we sympathize with users who have had this experience and we take all attacks on our users very seriously.”
How to Update
For many iPhone users, the update will be automatic, but it depends on the users’ phone settings.
Users can go to the iPhone’s Settings before tapping General, then tapping Software Update to download and install iOS 17.3 (or iOS 16.7.5 or iOS 15.8.1 for older models) as well as the aforementioned security fixes.
That download can be accessed regardless of whether the user has automatic updates turned on or off.
According to the company, the latest update will separately provide more crash detection optimizations for all iPhone 14 and iPhone 15 models.
Apple included the update’s full release notes on its website.
Jack Phillips is a breaking news reporter with 15 years experience who started as a local New York City reporter. Having joined The Epoch Times’ news team in 2009, Jack was born and raised near Modesto in California’s Central Valley. Follow him on X: https://twitter.com/jackphillips5