Government warning for iPhone users: high risk due to multiple vulnerabilities

A new advisory from the Indian government’s cybersecurity team has warned that Apple iPhone and Apple iPad users are under ‘high-risk’.

As per a latest warning by Indian Computer Emergency Response Team (CERT-In) under the Ministry of Electronics and Information Technology, multiple vulnerabilities have been reported in Apple iOS and iPadOS. These could allow a remote attacker to gain access to sensitive information, execute arbitrary code, spoofing of the interface address or denial of service conditions on the targeted device.

CERT-In warned that the multiple vulnerabilities found in the Mac operating system were classified as ‘critical’, which is the most serious rating in cyber security parlance.

The presence of these vulnerabilities mean that a hacker could run any commands or code of their choice on a target device after gaining control of the device using the vulnerability.

Even though Apple has released patches for the vulnerabilities, which can be installed by downloading the latest updates to the products users are not completely safe. What is most concerning is that, by Apple’s own admission, these vulnerabilities might have already been exploited by hackers.

Which devices are more vulnerable?

According to the advisory report of the central government, the flaws have been identified in the earlier versions of Apple iOS 16.1 and Apple iOS 16.0. This device suffers from flaws like CVE-2022-42827. These flaws have been identified in the Apple iPhone 8 and later iPhone models as well as iPad Pro models, iPad Air 3rd generation and later, and iPad mini 5th generation. CERT-IN advisory says flaws exist in Apple iOS and iPadiOS

“Apple is aware of a report that this issue may have been actively exploited,” Apple said in a statement regarding the vulnerabilities on its official website.

Apple devices running iOS & iPadOS versions prior to 15.5 have been rated highly severe. macOS Catalina prior to security update 2022-004, versions of macOS Big Sur prior to 11.6.6, and versions of macOS Monterey prior to 12.4 have been rated critically severe.

As for the Apple Watch, any device running watchOS versions prior to watchOS 8.6 is highly severe. Users who are using older versions of these OS should update their devices as soon as they can. If updating the device isn’t an option, all sensitive and critical data should be removed from the devices.

Reason for vulnerability in Apple devices

In its advisory, CERT-In says that these vulnerabilities exist in Apple iOS and iPadOS due to

• Improper security restrictions in AppleMobileFileIntegrity component
• Improper bounds check in Avevideoencoder component; Improper validation in CrNetwork component
• Improper entitlement in Core Bluetooth component
• Improper memory handling in GPU Drivers component
• Memory corruption issue in IOHIDFamily component
• Use after free issue and Race condition issue in IOKit component
• Improper memory handling and Out-of-bounds write issue in Kernel component
• Improper memory handling and Race condition issue in PPP component
• Use after free issue
• Improper security restrictions and Improper path validation in Sandbox component
• Improper UI handling, Type confusion issue and Logic issue in Webkit component
• Use-after-free error in WebKit PDF component
• Improper input validation in Mail component.

What should users do?

According to the advisory by CERT-In, Apple iPhone and iPad users should immediately install the latest available update on their smartphones to avoid any swindling. the vulnerability is being exploited in the wild. Users are advised to apply software updates as mentioned in the Apple Security updates.