‘Don’t put this off’: Apple issues urgent ‘zero-day alert’ for millions of users

View Summary

Raw Text

Millions of Apple users have been urged “do not put this off” after the iphone maker issued an urgent “zero-day alert”.

Jai Bednall

@jaibednall

2 min read

/* global newscorpau */ const coralComments = newscorpau && newscorpau.coralcomments; const talkUrl = coralComments && `${coralComments.talk}/api/v1/comments-count?ids=`; fetch(`${talkUrl}${newscorpau.articleID}`) .then(response => { response.json().then(data => { document.querySelector('#comment-count_count').innerHTML = `${data[newscorpau.articleID]} comments`; document.querySelector('#comments-load a').innerHTML += ` (${data[newscorpau.articleID]} comments)`; setTimeout(() => { document.querySelector('#comment-count').style.visibility = 'visible'; }, 0); }); });

10yo demands ‘offensive’ emoji is changed

Scam phone update that steals your money

Woman ‘haunted’ by phone alarm

An urgent warning has been issued to users of Apple’s iphones, iPads and MacBooks after the global tech giant discovered “system vulnerabilities” and issued a “zero-day alert”.

Tech consultant Shelly Palmer explained to his email subscribers a “zero-day alert” is “geekspeak for system vulnerabilities serious enough to warrant a software update” and urged anyone with one of three Apple devices to immediately update.

“I just updated my iPhone, MacBooks, and iPads – you should, too,” Palmer wrote.

“For my geekiest readers: the identified vulnerabilities are particularly concerning because they affect WebKit, the rendering engine used for all third-party web browsers on iOS and iPadOS, including popular ones like Google Chrome, Mozilla Firefox, and Microsoft Edge. Apple’s restriction – “Apps that browse the web must use the appropriate WebKit framework and WebKit JavaScript” – makes Webkit a particularly inviting target.

“For normal people: Do not put this off. Go to the settings menu on all your Apple devices and update your software ASAP.

“You know the cliche: ‘Security is a lot like oxygen. You don’t miss it until it isn’t there’.”

Tech security website Securityaffairs.com explained the two vulnerabilities in more detail, saying the “flaws are actively exploited in attacks in the wild”.

Both relate to the WebKit browser engine. The first is an out-of-bounds read where users can be tricked into visiting “specially crafted web content to disclose sensitive information”.

The second is a memory corruption vulnerability where victims can be tricked into visiting “specially crafted web content to potentially execute arbitrary code on the impacted devices”.

Apple addressed the first flag with improved input validation and the second with improved locking.

More Coverage

Scam phone update that steals your money

Woman ‘haunted’ by phone alarm

Securityaffairs.com revealed “Clement Lecigne of Google’s Threat Analysis Group discovered both vulnerabilities”.

“The fact that the issues were discovered by Google TAG suggests they were exploited by a nation-state actor or by a surveillance firm,” it said.

The release of iOS 17.1.2, iPadOS 17.1.2, macOS Sonoma 14.1.2, and Safari 17.1.2 addressed the flaws, which impacted iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, iPad mini 5th generation and Macs running macOS Monterey, Ventura and Sonoma.

Join the conversation

Add your comment to this story

To join the conversation, please log in. Don't have an account? Register

Join the conversation, you are commenting as Logout

Mobile Phones

10yo demands ‘offensive’ emoji is changed

A 10-year-old from Oxfordshire has started a petition urging Apple to redesign its “nerd face” emoji as he finds it “insulting”.

Hacking

Scam phone update that steals your money

The ClearFake scam, which infects computers with a type of malware under the guise of providing Chrome and Safari browser updates, is now targeting Mac users.

Mobile Phones

Woman ‘haunted’ by phone alarm

A TikTok user claims she is being “haunted” by her iPhone, with an alarm going off every morning despite it never being set.

Single Line Text

Millions of Apple users have been urged “do not put this off” after the iphone maker issued an urgent “zero-day alert”. Jai Bednall. @jaibednall. 2 min read. /* global newscorpau */ const coralComments = newscorpau && newscorpau.coralcomments; const talkUrl = coralComments && `${coralComments.talk}/api/v1/comments-count?ids=`; fetch(`${talkUrl}${newscorpau.articleID}`) .then(response => { response.json().then(data => { document.querySelector('#comment-count_count').innerHTML = `${data[newscorpau.articleID]} comments`; document.querySelector('#comments-load a').innerHTML += ` (${data[newscorpau.articleID]} comments)`; setTimeout(() => { document.querySelector('#comment-count').style.visibility = 'visible'; }, 0); }); }); 10yo demands ‘offensive’ emoji is changed. Scam phone update that steals your money. Woman ‘haunted’ by phone alarm. An urgent warning has been issued to users of Apple’s iphones, iPads and MacBooks after the global tech giant discovered “system vulnerabilities” and issued a “zero-day alert”. Tech consultant Shelly Palmer explained to his email subscribers a “zero-day alert” is “geekspeak for system vulnerabilities serious enough to warrant a software update” and urged anyone with one of three Apple devices to immediately update. “I just updated my iPhone, MacBooks, and iPads – you should, too,” Palmer wrote. “For my geekiest readers: the identified vulnerabilities are particularly concerning because they affect WebKit, the rendering engine used for all third-party web browsers on iOS and iPadOS, including popular ones like Google Chrome, Mozilla Firefox, and Microsoft Edge. Apple’s restriction – “Apps that browse the web must use the appropriate WebKit framework and WebKit JavaScript” – makes Webkit a particularly inviting target. “For normal people: Do not put this off. Go to the settings menu on all your Apple devices and update your software ASAP. “You know the cliche: ‘Security is a lot like oxygen. You don’t miss it until it isn’t there’.” Tech security website Securityaffairs.com explained the two vulnerabilities in more detail, saying the “flaws are actively exploited in attacks in the wild”. Both relate to the WebKit browser engine. The first is an out-of-bounds read where users can be tricked into visiting “specially crafted web content to disclose sensitive information”. The second is a memory corruption vulnerability where victims can be tricked into visiting “specially crafted web content to potentially execute arbitrary code on the impacted devices”. Apple addressed the first flag with improved input validation and the second with improved locking. More Coverage. Scam phone update that steals your money. Woman ‘haunted’ by phone alarm. Securityaffairs.com revealed “Clement Lecigne of Google’s Threat Analysis Group discovered both vulnerabilities”. “The fact that the issues were discovered by Google TAG suggests they were exploited by a nation-state actor or by a surveillance firm,” it said. The release of iOS 17.1.2, iPadOS 17.1.2, macOS Sonoma 14.1.2, and Safari 17.1.2 addressed the flaws, which impacted iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, iPad mini 5th generation and Macs running macOS Monterey, Ventura and Sonoma. Join the conversation. Add your comment to this story. To join the conversation, please log in. Don't have an account? Register. Join the conversation, you are commenting as Logout. Mobile Phones. 10yo demands ‘offensive’ emoji is changed. A 10-year-old from Oxfordshire has started a petition urging Apple to redesign its “nerd face” emoji as he finds it “insulting”. Hacking. Scam phone update that steals your money. The ClearFake scam, which infects computers with a type of malware under the guise of providing Chrome and Safari browser updates, is now targeting Mac users. Mobile Phones. Woman ‘haunted’ by phone alarm. A TikTok user claims she is being “haunted” by her iPhone, with an alarm going off every morning despite it never being set.