Similar to previous high-profile security flaws, these vulnerabilities could be exploited to give hackers full control of certain Apple devices.
Apple has released a security patch for iPhones and iPads, fixing a vulnerability that “may have been actively exploited”.
The tech giant revealed two zero-day vulnerabilities which were found in iPhone models as far back as the iPhone 8. These flaws also impacted all iPad Pro models, along with some iPad, iPad mini and iPad Air models.
One of the vulnerabilities was discovered in WebKit, the browser engine used by Safari and other apps that can access the web. Apple said this flaw could allow hackers to run arbitrary code execution on devices that process “maliciously crafted web content”.
A hacker can use arbitrary code execution to try to achieve administrator control of a device. Apple said it is aware of a report that this issue may have been exploited. The tech giant said an anonymous researcher discovered this vulnerability.
The second flaw was discovered in in the operating system’s kernel. This is a core component of an operating system and has the highest privileges.
Apple said this issue could allow an app to execute code with kernel privileges, which would give hackers the ability to execute any commands and effectively take control of the device.
The company attributed the discover of this flaw to Xinru Chi of Pangu Lab and Ned Williamson of Google Project Zero.
These flaws are similar to vulnerabilities discovered last August on various iPhone, iPad and Mac models, that could potentially allow attackers to gain full control of devices.
These types of vulnerabilities have been exploited by malicious actors in the past, notably with the use of Pegasus spyware. In September 2021, Apple issued an urgent update to address a security flaw that could be exploited to infect iOS devices with the spyware.
In the latest security patch, Apple thanked Citizen Lab for their assistance. This internet research group was also one of the organisations behind investigations into Pegasus spyware and its impact.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.