Apple fixes security flaws allowing hacking of iPhones, iPads and Macs

Apple announced on Wednesday August 17 that it had corrected two major software security flaws in the operating systems of its devices, namely the iPhone, iPad and Mac. These vulnerabilities, designated as CVE-2022-32893 and CVE-2022-32894, affected two components of Apple’s software.

The first, WebKit, is the backbone of Safari, the designer’s web browser. WebKit is also used in all browsers available on iOS, the iPhone operating system. The flaw made it possible to thwart the security of browsers to execute code on a device without the knowledge of its user if the latter went, for example, to a web page designed by hackers.

The second flaw allowed an application to perform actions at the level of the kernel (or “kernel”), a zone critical to the operation of a device in which the link between hardware and software is established. By being able to act in this specific area of ​​a phone or computer, hackers could therefore potentially take full control of the devices.

Read our survey: Article reserved for our subscribers Sold as very safe, iPhones have been hacked by Pegasus for years

Flaws likely exploited

Without giving further details, Apple explained that these two vulnerabilities were probably exploited by unidentified actors, i.e. hackers seeking to take control of one or more devices.

It is likely that these two security flaws were used together. Hackers often use what are called “exploit chains”, i.e. several vulnerabilities triggered in succession to attack a device. For example, it would be possible here to exploit the WebKit flaw by creating a compromised web page to execute code on a target’s phone, then relying on the second vulnerability to gain access to the entire of the device.

Manufacturers like Apple regularly discover and fix security vulnerabilities of varying severity in their products. State, criminal and private groups alike are constantly seeking to discover new ways to circumvent the protections put in place by major groups in the IT industry, and there is even a market in which these so-called flaws are sold. “zero days”vulnerabilities that have not yet been patched and are therefore exploitable.

Read also The “zero day” business, these flaws unknown to software manufacturers

Leave a Comment