Apple has released an emergency update for iOS and iPadOS to fix a zero-day vulnerability that was actively exploited to hack iPhones and iPads. The update also patches two other security flaws that could allow attackers to execute arbitrary code or access sensitive information.
The zero-day vulnerability, tracked as CVE-2023-42824, affects the kernel component of iOS and iPadOS. According to Apple, a local attacker may be able to elevate their privileges by exploiting this flaw. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6.
Apple did not provide any details about the nature or source of the attacks, but security researchers have speculated that it could be related to the NSO Group, an Israeli company that sells spyware tools to governments and law enforcement agencies. NSO Group has been accused of using zero-day exploits to target activists, journalists, and dissidents around the world.
The emergency update, iOS 17.0.3 and iPadOS 17.0.3, also fixes two other vulnerabilities in WebRTC and WebKit, the components responsible for video conferencing and web browsing respectively. These vulnerabilities, CVE-2023-5217 and CVE-2023-262365, could allow a remote attacker to cause unexpected application termination or arbitrary code execution by processing maliciously crafted web content.
Apple recommends that all users update their devices as soon as possible to protect themselves from these threats. Users can check for updates by going to Settings > General > Software Update on their devices.
Apple has traditionally had a strong security position, although they have faced several data breaches, vulnerabilities, and controversies over the years. Some notable examples are:
- In 2014, Apple was involved in a high-profile dispute with the FBI over unlocking an iPhone belonging to one of the shooters in the San Bernardino terrorist attack. Apple refused to comply with a court order to create a backdoor in its encryption system, arguing that it would compromise the security and privacy of all its users. The FBI eventually dropped the case after finding an alternative way to access the device.
- In 2016, a group of hackers known as the Turkish Crime Family claimed to have access to hundreds of millions of iCloud accounts and threatened to wipe them unless Apple paid a ransom. Apple denied that its systems were breached and said that the hackers obtained the credentials from third-party sources. Apple advised its users to change their passwords and enable two-factor authentication.
- In 2017, researchers discovered a major vulnerability in macOS High Sierra that allowed anyone to gain root access to a Mac without a password. Apple quickly released a patch for the issue, but also introduced another bug that broke file sharing on some Macs. Apple apologized for the incident and promised to audit its development processes.
- In 2018, researchers found a critical flaw in macOS Mojave that allowed attackers to bypass the built-in privacy protections and access sensitive data such as contacts, photos, and emails. Apple fixed the issue in a subsequent update.
- In 2019, Google’s Project Zero team revealed that they had discovered a series of hacked websites that were used to deliver malware to iPhones for at least two years. The malware exploited 14 vulnerabilities in iOS across five different exploit chains, giving attackers full access to the device’s data and capabilities. Apple patched the vulnerabilities in iOS 12.1.4 and downplayed the severity of the attack.
- In 2020, Apple faced backlash from users and privacy advocates over its plan to scan iCloud photos for child sexual abuse material (CSAM) and iMessage content for sexually explicit images of minors. Apple said that its system was designed to preserve user privacy while protecting children from harm, but critics argued that it could create a backdoor for surveillance and censorship. Apple later postponed the implementation of the feature after receiving feedback from customers, researchers, and advocacy groups.
- In 2021, Amnesty International reported that NSO Group’s Pegasus spyware was used to target human rights activists, journalists, lawyers, and politicians around the world using zero-click iMessage exploits that bypassed Apple’s security measures. Apple condemned the attacks and said that it was constantly working to improve its security defenses.