The tech giant has put out an emergency security update to patch two zero-day exploits – previously unidentified gaps in its defenses that threat actors could use to hijack devices and plant malware on them.
The notification was highlighted by Naked Security, the research wing of Sophos cybersecurity firm, which claims both exploits are actively being used by threat actors.
The first exploit, categorized as CVE-20220-32893, was detected in Apple’s HTML-rendering software WebKit, which underpins all of the tech giant’s devices. Naked Security explained that the bug could be used to fool iPhones, iPads, and Macs into running unauthorized malicious software from “a booby-trapped web page.”
“Simply put, a cybercriminal could implant malware on your device even if all you did was to view an otherwise innocent web page,” it said.
Naked Security also warned that simply steering clear of Apple’s in-house Safari browser would not guarantee user safety because the company’s usage terms state that iOS devices must base their browsing functionality on WebKit even if they use other providers such as Google Chrome, Mozilla Firefox, and Microsoft Edge.
Similarly, because Mac and iDevice apps are highly likely to use Apple’s WebView system – itself derived from Webkit – their users are also vulnerable to the exploit.
“CVE-2022-32893 therefore potentially affects many more apps and system components than just Apple’s own browser, so simply steering clear of Safari can’t be considered a workaround, even on Macs where non-WebKit browsers are allowed,” said Naked Security.
From bad to worse
The second bug, classified as CVE-2022-32894, uses the foothold established by the first exploit to jump from having control of a single app to taking over the infected device’s entire operating system, thus acquiring “administrative superpowers” normally only reserved for Apple staff.
Naked Security believes this “almost certainly” would allow a threat actor to spy on, download, and take over apps on the target device, as well as change its system security settings and access most of the data held on it.
Furthermore, a cybercriminal could use the exploit to take screenshots on the target device, track its browsing history and retrieve its location, copy text messages, and access its camera and microphone.
Naked Security added: “Apple hasn’t said how these bugs were found – other than to credit ‘an anonymous researcher’ – where in the world they’ve been exploited, and who’s using them or for what purpose.”
Urging Apple customers to follow the company’s patch instructions immediately, the research firm warned that left unchecked, the exploits could provide “all the functionality needed to mount a device jailbreak, deliberately bypassing almost all Apple-imposed security restrictions, or install background spyware and keep you under comprehensive surveillance.”
More from Cybernews:
Subscribe to our newsletter