Federal Agency Issues Security Warning For Apple Devices, Gives Three Weeks To Comply
Authored by Jack Phillips via The Epoch Times (emphasis ours),
This week, a federal agency sent a warning about a vulnerability that impacts iPhones, iPads, Macbooks, and other Apple devices, saying that it could lead to major security breaches.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), an arm of the U.S. Department of Homeland Security, said on Jan. 30 that the issue, marked as CVE-2022-48618, can bypass “pointer authentication.” It said that not fixing the bug could pose a “significant” risk to the U.S. “federal enterprise.”
The bulletin also said that it issued a “binding operational directive” to issue updates to fix the problem, requiring federal civilian agencies to “remediate identified vulnerabilities by the due date to protect” its “networks against active threats.”
According to CISA, the agencies were given about three weeks to patch the issue. The deadline was set for Feb. 21, 2024.
But CISA also warned that it “strongly urges all organizations,” such as companies, to respond to the bug.
On a separate website, officials say that the issue has been fixed in macOS Ventura 13.1, watchOS 9.2, iOS 16.2 and, iPadOS 16.2, and tvOS 16.2. “An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. Apple is aware of a report that this issue may have been exploited against versions of iOS released before iOS 15.7.1,” the bulletin said.
In a separate instance last month, CISA sent out an advisory for iPhone and other iOS users to update their products for another security issue.
“Apple has released security updates for iOS and iPadOS, macOS, Safari, watchOS, and tvOS. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system,” said the agency on Jan. 23. It then recommended that users update their software.
As usual, Apple provided few details about the fixes in the latest update, which applies to iPhones and iPads. But one of the fixed issues, known as CVE-2024-23222, was a vulnerability in WebKit, which runs the Safari browser, that could allow an actor to execute code on a device.
“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited,” the Cupertino-based tech giant said on Jan. 22.
Several other bugs that impact WebKit, Safari, reset services, mail, kernel (the core of an operating system), and more were fixed in the update, according to Apple’s support page.
Two WebKit issues also could lead to remote code execution, while the kernel problem could allow an attacker to execute code through an app, it said.
“For our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page,” the company said.
In September, the federal cybersecurity agency directed other agencies to fix an exploit that could infect iPhones with the controversial NSO Group’s Pegasus spyware that has allegedly been used to surveil individuals in other countries as well as iPhones belonging to individuals at a Washington-based civil society organization.
Here’s How to Update
The update will be automatic for many iPhone users, but it depends on their phone settings.
Users can go to the iPhone’s Settings before tapping General, then tapping Software Update to download and install iOS 17.3 (or iOS 16.7.5 or iOS 15.8.1 for older models), as well as the aforementioned security fixes. That download can be accessed regardless of whether the user has automatic updates turned on or off.
According to the company, its latest iOS and iPhone update will separately provide more crash detection optimizations for all iPhone 14 and iPhone 15 models. Apple posted its most recent update’s full release notes on its website.