The Indian government has released a report highlighting security vulnerabilities in Apple devices. The Computer Emergency Response Team of India (CERT-IN) has issued an urgent alert, identifying security threats affecting a range of Apple products, including iPhones, iPads, Apple Watches, iMacs, MacBooks, and the Safari Browser. These vulnerabilities stem from software flaws.
CERT-IN, operating under the Ministry of Electronics and Information Technology (MeitY), previously exposed vulnerabilities in the Google Android Operating System.
On CERT-India’s official website, a CIVN-2023-0275 notification warns that hackers can exploit a security validation certificate flaw in the Security Code Component. This allows them to execute malicious code and gain privileged access control, bypassing all security protections through crafted requests.
Additionally, a flaw was discovered in Apple’s Kernel, enabling the execution of instruction code between the device’s software and hardware.
Regarding the Safari browser, errors in Apple’s WebKit left browsers exposed to multiple vulnerabilities.
The following software versions have been identified as vulnerable to these threats:
1. Apple macOS Monterey Versions released before 12.7
2. Apple macOS Ventura Versions released before 13.6
3. Apple WatchOS Versions released before 9.6.3
4. Apple WatchOS Versions released before 10.0.1
5. Apple iOS Versions before 16.7 and iPadOS Versions before 16.7
6. Apple iOS Versions before 17.0.1 and iPadOS Versions before 17.0.1
7. Apple Safari versions before 16.6.1
In response to this news, Apple has stated that all the vulnerabilities identified by CERT have already been addressed. It now falls upon users to ensure their devices are updated with the latest software fixes.
Furthermore, Apple has issued emergency security patches for iOS/iPadOS 17 and WatchOS 10 to address zero-day vulnerabilities that could potentially expose devices to spyware. While Apple hasn’t provided detailed information about the spyware or the extent of the damage it may have caused, it acknowledged Maddie Store of Google’s Threat Analysis Group and Bill Marczak of Citizen Lab, based at the University of Toronto’s Munk School, for discovering the vulnerabilities.
Note: According to a Telegram resource, the fix was issued to counter the ‘Predator’ spyware developed by Intellexa of Egypt.