By Tom Ozimek
Apple has released urgent security updates for its iOS and other operating systems to patch against vulnerabilities that both the tech giant and U.S. cyber security officials say are being actively exploited by hackers.
Apple’s security updates patch gaps in operating systems for the iPhone, iPad, and Mac products, as well as its Safari web browser.
Specifically, the software updates target iOS and iPad 17.1.2, macOS 14.1.2, and Safari 17.1.2, with Apple noting that the patches fix two vulnerabilities in WebKit, the browser engine that powers Safari and other apps.
The vulnerabilities, which Apple said were discovered by Google’s Threat Analysis Group, allow hackers to plant spyware or other types of malicious code on users’ devices over the internet.
More Details
One of the Webkit vulnerabilities allows hackers to steal users’ sensitive information that is exposed while processing web content. The other Webkit gap may lead to arbitrary code execution.
Apple said that the security updates involve improving input validation to address the risk that processing web content may disclose sensitive information. The other gap that could lead to arbitrary code execution was patched by improved locking in order to fix a memory corruption vulnerability.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also took note of the security gaps in the Apple products.
“A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system,” CISA said in an alert.
No information was available as to who may be exploiting these vulnerabilities.
The security updates for iOS and iPadOS are available for the following: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later.
The security updates for the Mac operating system are available for macOS Sonoma 14.1.2.
Those for the Safari web browser are available for macOS Monterey and macOS Ventura.
Police Warnings About New iPhone Feature
Earlier, police and sheriff’s departments in multiple states issued warnings about an update on the iPhone and other Apple devices, known as NameDrop, that allows users to share contact details by holding two devices together.
The Middletown Division of Police in Ohio, the Mount Pleasant Department in Wisconsin, and the Henry County Sheriff’s Office in Tennessee, among others, posted warnings on social media regarding the feature.
“If you have an iPhone and have done the recent iOS 17 update. They have set a new feature called NameDrop to default to ON,” the Mount Pleasant Department warning stated. ” This allows the sharing of contact info just by bringing your phones close together. To shut this, off go to Settings, General, AirDrop, and Bringing Devices Together. Change to OFF.”
According to the department’s bulletin, the intent of the warning was to make the public aware of a problem that may not be easy to spot.
“This is intended for the public to be aware of as this is something that can easily be mistaken or looked past by elderly, children or other vulnerable individuals,” the department wrote. “The intentions of the information provided is to inform the public of this feature and adjust their settings as needed to keep their own or their loved ones’ contact information safe.”
In response to the warnings, an Apple spokesperson told USA Today and other outlets that the NameDrop feature is designed to share details “with only intended recipients” and that no contact information is automatically shared when two devices are close as the user must first take action.
“If NameDrop appears on a device and the user does not want to share or exchange contact information, they can simply swipe from the bottom of the display, lock their device or move their device away if the connection has not been established,” the spokesperson said.The company spokesperson added that “before a user can continue with NameDrop and choose the contact information they want to share, they will need to ensure their device is unlocked. NameDrop does not work with devices that are locked.”
It’s unclear if there have been any cases of hackers stealing users’ personal details via the feature.
Jack Phillips contributed to this report.
