Apple Says Zero-Day Bugs Exploited Against 'Specific Targeted Individuals' Using iOS
Apple has released new software updates across its product line to fix two security vulnerabilities, which the company said may have been actively used to hack customers running its mobile software, iOS. In a series of security advisories posted on its website, Apple confirmed it fixed the two zero-day vulnerabilities, which “may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.”
The bugs are considered zero days because they were unknown to Apple as they were being exploited. It’s not yet known who is behind the attacks or how many Apple customers were targeted, or if any were successfully compromised. A spokesperson for Apple did not return TechCrunch’s inquiry.
A Sophisticated Attack
Apple credited the discovery of one of the two bugs to security researchers working at Google’s Threat Analysis Group, which investigates government-backed cyberattacks. This may indicate that the attacks targeting Apple customers were launched or coordinated by a nation state or government agency. Some government-backed cyberattacks are known to involve the use of remotely planted spyware and other phone-unlocking devices.
The Bugs
Alice bug affects Apple’s Core Audio, the system-level component that Apple uses across its various products to allow developers to interact with device audio. The bug could be exploited by processing an audio stream in a maliciously crafted media file, which can allow the execution of malicious code on an affected Apple device.
The other bug, which Apple took sole credit for discovering, allows an attacker to bypass pointer authentication, a security feature that Apple uses in its software to make it more difficult for attackers to corrupt or otherwise inject malicious code into a device’s memory.
Software Updates
Apple released a software update for macOS Sequoia, bumping the software version to 15.4.1, and released iOS 18.4.1 that fixes the security bugs in iPhones and iPads. Apple TV and the company’s mixed-reality headset Vision Pro also received the same security updates.
These updates are available now for users to download and install, with Apple urging customers to update their devices as soon as possible to ensure they have the latest security patches. Users can check for updates on their device by going to Settings > General > Software Update on iOS devices or by clicking on the Apple logo in the top left corner of the screen and selecting “Updates” on macOS.
A Potential Indication of State-Sponsored Attacks
The fact that one of the bugs was discovered by Google’s Threat Analysis Group, a team that investigates government-backed cyberattacks, may indicate that the attacks targeting Apple customers were launched or coordinated by a nation state or government agency. This is not to say that Apple or Google is certain of this, but it does suggest that the attacks could have been state-sponsored.
What Customers Need to Know
While the exact number of customers who may have been targeted or compromised by these attacks is not yet known, users should be aware of the potential risks and take steps to protect themselves. This includes keeping their devices up-to-date with the latest security patches, using strong passwords and two-factor authentication, and being cautious when opening emails or downloading attachments from unknown sources.
Apple has also reminded users that these attacks are sophisticated and may have involved zero-day exploits, which means that they were not known to Apple at the time they occurred. The company is urging customers to be vigilant and take steps to protect themselves from potential threats.