Apple issues security update for two zero-day flaws

Apple said the two vulnerabilities can give hackers access to sensitive information or allow them to gain control of an affected device.

Apple has issued an emergency update for two flaws that can give information to hackers, after receiving reports that these vulnerabilities were exploited.

The company said these flaws impact iOS, iPadOS and MacOS Sonoma systems. Both of these vulnerabilities relate to Webkit, the engine used by the Safari web browser.

One of these flaws lets attackers gain access to sensitive information via an “out-of-bounds read” vulnerability, while the other is a memory corruption vulnerability that can give hackers “arbitrary code execution”.

A hacker can use arbitrary code execution to try to achieve administrator control of a device. Apple said it is aware of a reports that both of these issue may have been exploited by attackers already.

The flaws were discovered by Clément Lecigne, a security engineer with Google’s Threat Analysis Group. Lecigne also discovered a Chrome vulnerability earlier this year that was actively exploited by a commercial spyware vendor.

Michael Covington, a strategy VP with software company Jamf, said the flaws show that attackers “continue to focus on exploiting the framework that downloads and presents web-based content”.

“The latest bugs could lead to both data leakage and arbitrary code execution and appear to be tied to targeted attacks that are common against high-risk users,” Covington said.

“Though these patches validate that Apple devices are not immune to cyberthreats, the patching process is helping to reduce the attack surface. Now that the patches are issued, it is up to users, and organisations that utilise Apple devices for work, to update their devices and monitor for compliance to ensure that all critical devices are no longer vulnerable as soon as possible.”

In September, Apple released a security update to patch zero-day vulnerabilities related to Pegasus spyware.

That spyware made headlines in 2021 when an investigation claimed it was abused and used to target journalists, activists and government officials. Soon after, Apple sued the spyware creator –  Israel’s NSO Group – in a bid to “hold it accountable for the surveillance and targeting of Apple users”.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.