Apple has now extended an emergency patch notice, which was recently issued for newer devices, to its entire array of platforms, Sophos cybersecurity firm reports.
The company’s Naked Security research team says that the tech giant has now pushed out full upgrades, “complete with brand-new version numbers, for every supported operating system version that the company supports.”
The extended list of devices whose owners and operators are urged to implement the emergency zero-day patch are: iOS 16.6 and iPadOS 16.6; iOS 15.7.8 and iPadOS 15.7.8; macOS Ventura 13.5, Monterey 12.6.8, and Big Sur 11.7.9; tvOS 16.6; Safari 16.6; and watchOS 9.6.
The renewed emergency patch notice also includes a permanent fix for the CVE-2023-37450 spyware bug that Sophos warned about on July 11th.
Sophos describes the glitch as consisting of “in-the-wild iPhone malware holes” or “code execution bugs” that are essentially “the next best thing to a zero day” vulnerability.
“Technically, code execution bugs that can be triggered by getting you to look at a web page that contains booby-trapped content don’t count as so-called zero-click attacks,” it said. “A true zero-click attack is where cybercriminals can take over your device simply because it’s turned on and connected to a network.”
It added: “But a ‘look-and-get-pwned’ attack, also known as a ‘drive-by install,’ where merely looking at a web page can invisibly implant malware, even though you don’t click any additional buttons or approve any pop-ups, is the next-best thing for an attacker.”
Cybercriminals will then try to piggyback off this first flaw by deploying a second bug that completely takes over a target device.
“Crooks love to combine a look-and-get-pwned exploit with a second, kernel-level code execution bug to take over your computer or your phone entirely,” said Sophos.
“If the malware the attackers execute via an initial browser hole is specifically coded to exploit the second bug in the chain, then they immediately escape from any limitations or sandboxing implemented in the browser app by taking over your entire device at the operating system level instead.”
This usually allows a threat actor to spy on every app being run on the target device, including the operating system, and covertly install malware as part of its startup procedure “thus invisibly and automatically surviving any precautionary reboots you might perform.”
There had been some confusion following the initial emergency notice, with Sophos expressing bafflement in a follow-up blog on July 12th as to why the spyware patch was pulled by Apple the following day.
However, the cybersecurity analyst now seems satisfied that the matter has been effectively resolved — for now at least — by the tech giant.
“Once again, we urge you to ensure that your Apple devices have downloaded (and then actually installed!) these updates as soon as you can,” said Sophos. “Even though we always urge you to patch early [and] often, the fixes in these upgrades aren’t just there to close off theoretical holes. Here, you’re shutting off cybersecurity flaws that attackers already know how to exploit.”
Urging Apple device owners to take advance precautions, it added: “Even if the crooks have only used them so far in a limited number of successful intrusions against older iPhones… why remain behind when you can jump ahead?”
More from Cybernews:
Subscribe to our newsletter