Image: © chinnarach/Stock.adobe.com
The iPhone maker has released various patches this year, including one earlier this month to fix a flaw that was exploited by Pegasus spyware.
Apple has released a security update for its latest version of iOS, due to reports of flaws that may have been “actively exploited” by cyberattackers.
The iPhone maker released details of three security flaws that are being patched by this new update for iOS and iPadOS. These flaws were found in iPhone models as far back as the iPhone XS, along with certain iPad, iPad Pro, iPad Air and iPad mini models.
One of the security flaws was discovered in WebKit, the browser engine used by Safari and other apps that can access the web. Apple said this flaw could allow hackers to run arbitrary code execution, which a hacker can use to try to achieve administrator control of a device.
Another flaw impacted the kernel, which is the core of the code in the operating system of devices. Apple said this flaw could be used by local attackers to “elevate their privileges”. Apple said the last security flaw could be exploited by a malicious app to bypass signature validations on certain Apple devices.
The three flaws were discovered by researchers of digital watchdog Citizen Lab and Google’s Threat Analysis Group. Apple did not disclose any details about how many people may have been impacted to date by these security flaws.
Some of the flaws are similar to zero-day vulnerabilities that were discovered earlier this year on iPhone models as far back as the iPhone 8, which also had the potential to give hackers full control of certain Apple devices. Those flaws also impacted all iPad Pro models, along with some iPad, iPad mini and iPad Air models.
These types of vulnerabilities have been exploited by malicious actors in the past, notably with the use of Pegasus spyware. Earlier this month, Apple released an security update to patch a zero-day vulnerability related to this spyware. This flaw was also discovered by Citizen Lab.
The vulnerability was ‘zero-click’, which means that users do not need to click a link or do anything to have the spyware installed on their iPhones or iPads. It was identified a few weeks by Citizen lab researchers who were checking a Washington DC-based civil society organisation employee’s device.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.
