Apple patches zero-day exploits. Stay secure with the latest updates and protect your devices from potential vulnerabilities. Anyone with an iPhone released since 2015, iPad released since 2014, or Mac running the latest macOS Monterey should update their software immediately, Apple says. The company has plugged a pair of security weaknesses that are classified as “zero days”—meaning hackers have been actively exploiting them. These weaknesses can grant attackers full admin access to an affected device.
1. Update to the latest macOS
Anyone with an iPhone released since 2015, an iPad released since 2014, or a Mac running macOS Monterey can update their device to fix the vulnerabilities. The software weaknesses affect the kernel, the deepest layer of the operating system that runs all these devices, and WebKit, which powers Safari.
The flaws could allow hackers to execute code on your device as if they were you. “If a malicious actor gains escalation of privilege on your iPhone or iPad, they can gain full control of your device,” Apple warned in its statement. It said it’s aware of reports that some hackers are taking advantage of the vulnerabilities.
Apple has already remediated some of these issues with earlier updates, including a patch this month for a flaw in WebKit that was being actively exploited in the wild. Anyone using an iPhone, iPad or a Mac can check for updates in Settings or by going to System Preferences and choosing Software Update. You can also use iStat Menus, a real-time system monitor that can help you identify any pitfalls or issues that may prevent an update from proceeding.
2. Update to the latest iOS
For iPhone users, the patch should be available now via a software update. If you don’t get the update, you can check for updates on your device by opening the settings app and selecting “software update.” Apple recommends updating as soon as possible.
The new security update fixes a pair of zero-day flaws — so called because they’re already being exploited — that affect the kernel and WebKit, which powers Safari. Such weaknesses are highly valuable on the black market, with cyberweapon brokers offering hundreds of thousands, or even millions, of dollars for a single weakness that can hack an iPhone or other Apple devices.
Apple has credited Clement Lecigne of Google’s Threat Analysis Group and Donncha O Cearbhaill of Amnesty International’s Security Lab for reporting the first vulnerability, while an anonymous researcher has been credited with the second. Both were deemed active in the wild and were fixed with improvements in bounds checking and memory management.
3. Update to the latest tvOS
Apple says the fixes address a pair of zero-days that are being exploited in the wild. The flaws affect the kernel, which is the deepest layer of the operating system that all the devices share. They also affect WebKit, which is the underlying technology of the Safari browser. The company credited researchers Lecigne and O Cearbhaill for reporting the issues. The vulnerabilities could be used to take complete control of the affected devices, Apple warned.
The flaws were described as a type confusion vulnerability and an out-of-bounds read issue in WebKit. The company remediated the problems by improving bounds checks and other technical safeguards. There are no further details about the exploits or the threat actors responsible for using them to hack users.
Anyone with an iPhone released since 2015, an iPad released since 2014 or a Mac running macOS Sierra or later should update their device immediately. The updates are available via the Settings app on the device or by choosing software update on a Mac. Rachel Tobac, CEO of cybersecurity firm SocialProof Security, said people should be especially attentive to updating their software if they’re an activist or journalist who might be the target of sophisticated nation-state spying.
4. Update to the latest watchOS
Apple shipped a set of security updates Thursday for its iOS, macOS, tvOS, and watchOS operating systems, including a pair of zero-day vulnerabilities that are “actively exploited in the wild”. One of the flaws is found in the kernel, the lowest layer of software on all of its devices, while the other affects the multi-platform WebKit browser engine.
Both weaknesses are classified as zero-days because hackers had the chance to exploit them before Apple’s update, and these bugs can be very valuable on the cyberweapon market. For example, a broker called Zerodium will pay up to $2m for an iPhone flaw that gives attackers full admin access.
Rachel Tobac, CEO of social-proof security firm SocialProof Security, pointed out that users should be especially vigilant about updating their devices. This is especially true for people in the public eye, such as human rights activists or journalists who may be a target of sophisticated nation-state spying campaigns.
Tobac added that users should also be careful about turning on iCloud Backup, which automatically uploads all of their data to the cloud. This feature is a good idea, but it’s worth noting that once the data is uploaded to iCloud, it can no longer be recovered from an external drive.
