Apple responded quickly by issuing updates to address two major security flaws, known as zero-day vulnerabilities, that were actively exploited in attacks. These flaws impacted iPhone, iPad, and Mac devices. In simple terms, zero-day vulnerabilities are significant flaws in software that hackers exploit before the product’s authors are even aware of them.
These specific bugs were discovered in WebKit, a web browser engine used in Apple products. By attracting users into accessing malicious websites, they let attackers gain critical information and execute malicious malware on susceptible devices.
Apple issued emergency upgrades to devices running iOS 17.1.2, iPadOS 17.1.2, macOS Sonoma 14.1.2, and Safari 17.1.2 to address these security concerns. These upgrades improved how the program validates and protects data input, to prevent these vulnerabilities from being exploited.
This security flaw affected a variety of Apple devices, including iPhone XS and later models, many iPad models (such as the iPad Pro and iPad Air), and Macs running particular versions of macOS.
Clément Lecigne, a security researcher at Google’s Threat Analysis Group (TAG), found and disclosed several zero-day vulnerabilities. Although Apple has not verified any active attacks using these flaws, Google TAG researchers have a track record of discovering and revealing zero-day vulnerabilities exploited in targeted attacks, particularly against high-profile targets such as journalists and politicians.
This is noteworthy since these are Apple’s 19th and 20th zero-day vulnerabilities found and resolved in 2023. Other zero-days were reported earlier this year, some of which were exposed by Google TAG and Citizen Lab, a research organization. Threat actors used these vulnerabilities to distribute malware such as Predator and Pegasus, giving unauthorized access to compromised machines.
Apple’s quick reaction attempts to protect consumers from vulnerabilities that cyber criminals may exploit. It’s part of an ongoing effort by Apple and security researchers to protect devices and keep possible attacks from jeopardizing user data and privacy.