US security agency says Apple users must update devices
Apple released iOS 16.3.1, iPadOS 16.3.1 and macOS Ventura 13.2.1 February 13. Now the US Cybersecurity and Infrastructure Security Agency (CISA) is warning all Mac, iPad, and iPhone users to update their devices as soon as possible as it patches a vulnerability that is already being exploited to take over people’s devices.
All your devices are belong to us
CISA isn’t fooling.
“Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit these vulnerabilities to take control of an affected device,” it explains.
“CISA encourages users and administrators to review the Apple security updates page for the following products and apply the necessary updates as soon as possible.”
The update was released as a response to a zero day WebKit vulnerability Apple says may have been actively exploited. Attacks that use this vulnerability may already be taking place and if successful can be exploited to take control of affected devices.
Actively exploited
“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited,” Apple tells us.
Clearly this is a serious vulnerability that impacts iPhones from iPhone 8, Macs running macOS Ventura and most iPads. The update also patches a kernel bug.
Apple says Citizen Lab have helped with identifying at least one of the two bugs fixed in the release.
Given Citizen Lab are very active in terms of security flaws being abused by the new crop of private surveillance firms, it seems plausible to think the flaw has been used against the kind of people who need protection against such firms. (I’m thinking opposition politicians, human rights advocates or environmentalists, but I have no proof.)
CISA is particularly urging IT admins to review the information and push the updates out to users as soon as they possibly can.
So, if you’re someone using a Mac, iPhone, or iPad reading this, go install the update as soon as you’re able. And if you’re an IT admin managing a fleet of devices you should expedite putting this update through your company security protocols and push it out to your users ASAP.
Links for more info:
Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.