Apple issues security fixes for zero-day vulnerabilities

Apple has released emergency security patches for its core products just days after rolling out brand new versions of their operating systems. On Thursday, the company updated iOS/iPadOS 17 and WatchOS 10 with fixes aimed at patching several zero-day vulnerabilities that could leave a device open to a particular form of spyware.

iPhone, iPad, and Apple Watch owners are urged to update their devices with this latest round of security fixes. On your iPhone or iPad, go to Settings, select General, tap Software Updates, and then tap the Update Now button. For an Apple Watch, open the Watch app on your phone. At the My Watch tab, head to General, select Software Update, and install the latest update.

Owners of the new iPhone 15 will find iOS 17.0.2 waiting. Users of older iPhones will jump to iOS 17.0.1. And Apple Watch wearers will install WatchOS 10.0.1.

At its support pages for the iOS/iPadOS updates and the WatchOS update, Apple revealed that the vulnerabilities may have been actively exploited on versions prior to iOS 16.7. The company gave credit for discovering the bugs to Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group.

Through Apple didn’t reveal the nature of the vulnerabilities, both The Citizen Lab and Google’s Threat Analysis Group released their own reports that described the threat to targeted devices.

In a Friday blog post, Google’s Threat Analysis Group explained that Apple’s security updates were issued in response to a zero-day exploit chain being used to install Predator spyware developed by Egyptian commercial surveillance vendor Intellexa. This type of spyware can record audio from regular phone and VoIP audio calls. Predator is also able to gather data from popular chat and calling apps, including WhatsApp, Telegram, and Signal.

The process worked through a man-in-the-middle attack in which a victim tries to visit an http website. With such traffic unencrypted, the attacker can send fake data back to the user to redirect them to an Intellexa website and exploit server. From there, the spyware could be installed without the user having to open any documents, clicking any specific links, or answering any phone calls.

September 25, 2023

Written by Lance Whitney

Click to read the entire article on ZDNet

More Posts

November 18 through 21, 2024

I will be away from my desk in the late morning every day this week due to appointments. Otherwise I will be continuing to work

November 11, 2024

Veterans Day -a day to honor those who have served in the American military. Unlike Memorial Day (which is a somber day to remember those

November 4 through 7, 2024

This week I will begin working on a project to improve the structure on the Brokers Network Group domain web site. This will be a