Apple warns of vulnerability in its OS. Update or risk getting hacked

The tech giant just pushed out an emergency update for two zero-day bugs that are apparently actively being exploited.
19 August 2022

Apple warns of vulnerability in its OS. Update or risk getting exploited by hackers. (Photo by Don EMMERT / AFP)

  • Both vulnerabilities were found by Apple in WebKit, the browser engine that powers Safari and other apps, and the kernel, essentially the core of the OS.
  • Kernel and WebKit bugs can allow arbitrary code execution on Apple’s devices.
  • Users are urged to install emergency software updates although Apple has yet to disclose the extent to which the flaw has been exploited.

In an earnings call covering the first fiscal quarter of 2022, Apple CEO Tim Cook shared that there are over 1.8 billion active devices worldwide – a number that doesn’t come of much as a surprise considering how Apple’s devices are best bet for built-in privacy. However, even the most privacy-sensitive big technology company can be compromised and this week’s revelation by Apple on its OS (Operating System) is proof that no-one is exempt.

The company warned users around the world of a flaw in the Apple OS that is allowing hackers to seize control of iPhones, iPads and Mac computers. Apple then directed users of most of its devices to update their software as the vulnerability in its operating systems “may have been actively exploited.” The two vulnerabilities were found in WebKit, the browser engine that powers Safari and other apps, and the kernel, essentially the core of the operating system. 

Detail on the bugs on Apple OS

Apple said the WebKit bug could be exploited if a vulnerable device accessed or processed “maliciously crafted web content [that] may lead to arbitrary code execution,” while the second bug allowed a malicious application “to execute arbitrary code with kernel privileges,” which means it has full access to the device. The two flaws are believed to be related and affects both iOS and iPadOS and macOS Monterey

Simply put, a cybercriminal could implant malware on your device even if all you did was to view an otherwise innocent web page. When Apple posted security updates online on Wednesday and Thursday, the tech giant also stated that the vulnerability it found affects iPhones dating back to the 6S model, iPad 5th generation and later, iPad Air 2 and later, iPad mini 4 and later, all iPad Pro models and the 7th generation iPod touch. 

The vulnerability also extends to Mac computers running the company’s Monterey OS as well as Apple’s Safari browser on its Big Sur and Catalina OS, the company said in a subsequent update. Sophos senior technologist, Paul Ducklin in a blog posting shared that the kernel bugs almost certainly means that an attacker could: spy on any and all apps currently running; download and start additional apps without going through the App Store; access almost all data on the device; change system security settings; retrieve your location; even take screenshots and see the cameras in the device; activate the microphone; copy text messages, and definitely track your browsing.

“Apple hasn’t said how these bugs were found (other than to credit “an anonymous researcher”), hasn’t said where in the world they’ve been exploited, and hasn’t said who’s using them or for what purpose,” Paul said, adding that the best thing to do is “Patch at once!” This round of vulnerabilities represent the fourth and fifth zero-day flaws patched by Apple this year. 

At this point, the number could just be on track to meet or supersede the number of these types of vulnerabilities that Apple was forced to respond to with fixes last year, which was 12, according to security researchers at Google, which keeps a spreadsheet of zero-day flaws categorized by vendor.