The Indian Computer Emergency Response Team (CERT-In) has highlighted multiple security vulnerabilities across Apple’s suite of mobile operating systems and urged users to immediately update to the latest version of each OS, which the Cupertino-based tech giant had rolled out on Tuesday.
CERT-In comes under the Union Ministry of Electronics and Information Technology and is tasked with “securing Indian cyber space” and regularly issues such security advisories.
Thursday’s advisories follow a note issued by the Indian cybersecurity watchdog on flaws in Apple’s native web browser, Safari.
Last year, Apple decoupled Safari from macOS, allowing the browser to be to be updated independently of the operating system — all other native Apple applications continue to be updated only as part of an OS update. The latest version of Apple’s web browser is Safari 15.5.
iPhone, iPad and iPod Touch can be updated to 15.5 by going to “Settings>General>Software Update”, while Apple Watch will automatically update to 8.6 while charging and in the vicinity of a paired iPhone.
According to CERT-In’s vulnerability notes issued on Thursday, older iOS, iPadOS and watchOS had multiple vulnerabilities which the agency rated “high” on the severity scale, and warned that they “could be exploited by a remote attacker to execute arbitrary code, bypass security restrictions and cause denial of service condition on a targeted system”.
This means a malicious actor can take advantage of these vulnerabilities and gain unauthorised access to a user’s device and sensitive personal data stored on it, and potentially lock the user out of the device.
In the case of iOS and iPadOS, CERT-In said the vulnerabilities were caused by improper execution of a variety of code, as well as lapses in security certificate parsing, “Safari Private Browsing” and failed authorisation and checks in Wi-Fi, as well as the Notes and Shortcuts applications.
“A remote attacker can exploit these vulnerabilities by persuading a victim to visit maliciously crafted web (page),” the CERT-In advisory said.
Similarly, in the case of watchOS as well, the vulnerabilities were caused by improper execution of code, failed security certificate checks and memory corruption.
As for Safari, CERT-In highlighted five “critical” vulnerabilities, which the agency said were found in the web browser in the Apple’s Mac operating systems dubbed Big Sur (macOS 11, released in 2020) and Catalina (macOS 10.15, released in 2019). These vulnerabilities can be fixed by updating Safari to 15.5.
“These vulnerabilities exist in Apple Safari for macOS Big Sur and macOS Catalina due to memory corruption and use-after free within the WebKit component,” CERT-In said.