The Department of Homeland Security’s (DHS) cybersecurity agency this week advised users and administrators to update their Apple, Microsoft, and Adobe products after security vulnerabilities were detected.
“Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected device,” said the Cybersecurity Infrastructure & Security Agency in a
statement on April 11, referring to a handful of security updates issued for iPhones, iPads, and other devices in the past week.
This week, Apple rolled out its security update to older Apple iPhones, iPads, Mac desktop computers, and Macbooks after it released iOS and iPadOS 16.4.1 and macOS Ventura 13.3.1 to fix two actively exploited security flaws. That update was extended to older devices, including those that use
iOS and iPadOS 15.7.5,
macOS Monterey 12.6.5, and macOS
Big Sur 11.7.6 to patch the same security bugs.
That impacts all iPhone 6, iPhone 7, first-generation iPhone SE, iPad Air 2, fourth-generation iPad Mini, and seventh-generation iPod touch models that Apple sold in the mid-2010s, according to Apple’s support page. Last week’s update impacted all of Apple’s later phones and devices.
“If you have an older Mac, you need to ensure you have last week’s Safari update and this latest patch to go with it. If you have an older iPhone or iPad, you need to get today’s update, or else you remain vulnerable to both bugs, as used in the wild in the attack discovered by Amnesty and investigated by Google,”
said security firm Sophos on its blog.
The research firm
said that CVE-2023-28205 is a “hole in Webkit,” or the engine used by Apple’s Safari browser and other browsers, that can allow a hacker to “give cybercriminals control over your browser, or indeed any app that uses WebKit to render and display HTML content.”
“Apple’s own Safari browser uses WebKit, making it directly vulnerable to WebKit bugs,” the firm said. “Additionally, Apple’s App Store rules mean that all browsers on iPhones and iPads must use WebKit, making this sort of bug a truly cross-browser problem for mobile Apple devices.”
CVE-2023-28206, another flaw that is being tracked and was patched, involves a security hole in IOSurfaceAccelerator. The bug can allow an app to execute code with kernel privileges, meaning an attacker can target the core of the code in iOS if it isn’t patched.
To update an Apple device, users can manually update to the latest version on their iPhones or iPads by heading to Settings, General, and Software Update. Then, they should tap Download and Install, follow the prompts, and wait for the phone or device to restart.
On Mac laptops and desktop computers, users can open the Apple menu and choose System Settings before going to General and then clicking on Software Update.
Meanwhile, Microsoft this week also issued an update that targets around 100 security vulnerabilities in the Windows operating system, it said. CISA also
urged users and administrators to update their devices. Microsoft’s series of updates
includes a patch to CVE-2023-28252, which is a weakness in the Windows Common Log System File System driver that is under active attack.
“If it seems familiar, that’s because there was a similar 0-day patched in the same component just two months ago,” Dustin Childs at the Trend Micro Zero Day Initiative
told Krebs on Security. “To me, that implies the original fix was insufficient and attackers have found a method to bypass that fix. As in February, there is no information about how widespread these attacks may be. This type of exploit is typically paired with a code execution bug to spread malware or ransomware.”
To update your Windows device or computer, select the Start menu, type “Windows Update,” and load the Windows Update item that is displayed. The user should then manually check for updates.
