With a series of software updates for its devices, Apple has closed two security vulnerabilities that may already have been exploited.
One of the vulnerabilities was in Apple’s WebKit software, which is used to display content in web browsers. Prepared websites could use the gap to run any software code, Apple explained.
“Put simply, a cybercriminal could place malware on your device if you just looked at an otherwise harmless website,” the IT security firm warned afterwards Sophos on Thursday.
Through this weak spot iPhones and iPads were even more threatened than Mac computer: Because on the mobile devices all browsers run with WebKit and not just the in-house program safari. The second vulnerability was in the so-called kernel, the central part of the operating system. An attacker who has already gained access to the device could use it to access all sorts of data, Sophos emphasized.
Such vulnerabilities are considered very valuable and are usually exploited in a targeted manner by secret services and developers of surveillance software. The Pegasus software from the Israeli spy software company NSO, which also exploited vulnerabilities on Apple devices, became well known.
Apple referred to information from an anonymous researcher about the security gaps that have now been patched. Like other companies, the iPhone group awards rewards for information about discovered vulnerabilities. In recent years, Apple has repeatedly announced security vulnerabilities when releasing updates.
With the software updates, users have to become active themselves in order to install them. The current operating system versions are iOS 15.6.1 for the iPhone and iPadOS 15.6.1 for the tablets and macOS Monterey 12.5.1 for Apple’s computers. (dpa/rw)