Security News > 2023 > April > Apple issues emergency patches for spyware-style 0-day exploits – update now!
Apple's App Store rules mean that all browsers on iPhones and iPads must use WebKit, making this sort of bug a truly cross-browser problem for mobile Apple devices.
Kernel code execution bugs are inevitably much more serious than app-level bugs, because the kernel is responsible for managing the security of the entire system, including what permissions apps can acquire, and how freely apps can share files and data between themselves.
Ironically, kernel-level bugs that rely on a booby-trapped app are often not much use on their own against iPhone or iPad users, because Apple's strict App Store "Walled garden" rules make it hard for attackers to trick you installing a rogue app in the first place.
You can't go off market and install apps from a secondary or unofficial source, even if you want to, so crooks would need to sneak their rogue app into the App Store first before they could attempt to talk you into installing it.
The worrying thing about both bugs is not only that they're zero-day holes, meaning the attackers found them and were already using them before any patches were figured out, but also that they were reported by "Clément Lecigne of Google's Threat Analysis Group and Donncha Cearbhaill of Amnesty International's Security Lab".
Apple isn't giving any more detail than that, but it's not a big jump to assume that this bug was spotted by privacy and social justice activists at Amnesty, and investigated by incident response handlers at Google.
News URL
Related news
- GoFetch security exploit can't be disabled on M1 and M2 Apple chips (source)
- Apple Updates Spyware Alert System to Warn Victims of Mercenary Attacks (source)
- Apple: Mercenary spyware attacks target iPhone users in 92 countries (source)
- Apple stops warning of 'state-sponsored' attacks, now alerts about 'mercenary spyware' (source)
- Apple Alerts iPhone Users in 92 Countries to Mercenary Spyware Attacks (source)