Apple parandab nullpäevase nuhkvaraimplantaadi vea – parandage kohe!

Apple has just released updates for all supported Macs, and for any mobile devices running the very latest versions of their respective operating systems.

In version number terms:

• iPhone'e ja iPads on version 16 go to iOS 16.3.1 ja iPadOS 16.3.1 vastavalt (vaata HT213635).
• Apple kellad on version 9 go to Vaata 9.3.1 (no bulletin).
• Macs running Ventura (version 13) go to MacOS 13.2.1 (vaata HT213633).
• Macs running Big Sur (version 11) and Monterery (12) get an update dubbed Safari 16.3.1 (vaata HT213638).

Oh, and tvOS gets an update, too, although Apple’s TV platform confusingly goes to tvOS 16.3.2 (no bulletin).

Apparently, tvOS recently received a product-specific functionality fix (one listed on Apple’s security page with no information beyond the sentence This update has no published CVE entries, implying no reported security fixes) that already used up the version number 16.3.1 for Apple TVs.

As we’ve seen before, mobile devices still using iOS 15 and iOS 12 get nothing, but whether that’s because they’re immune to this bug or simply that Apple hasn’t got round to patching them yet…

…meil pole õrna aimugi.

We’ve never been quite sure whether this counts as a telltale of delayed updates or not, but (as we’ve seen in the past) Apple’s security bulletin numbers form an intermittent integer sequence. The numbers go from 213633 to 213638 inclusive, with a gap at 213634 and gaps at 213636 and 213637. Are these security holes that will get backfilled with yet-to-be-released patches, or are they just gaps?

What sort of zero-day is it?

Given that the Safari browser has been updated on the pre-previous and pre-pre-previous versions of macOS, we’re assuming that older mobile devices will eventually receive patches, too, but you’ll have to keep your eyes on Apple’s official HT201222 Turvavärskendused portal to know if and when they come out.

As mentioned in the headline, this is another of those “this smells like spyware or a jailbreak” issues, given that the all updates for which official documentation exists include patches for a bug denoted CVE-2023-23529.

This security hole is a flaw in Apple’s WebKit component that’s described as Pahatahtlikult koostatud veebisisu töötlemine võib viia suvalise koodi täitmiseni.

The bug also receives Apple’s usual euphemism for “this is a zero-day hole that crooks are already abusing for evil ends, and you can surely imagine what those might be”, namely the words that Apple is aware of a report that this issue may have been actively exploited.

Remember that WebKit is a low-level operating system component that’s responsible for processing data fetched from remote web servers so that it can be displayed by Safari and many other web-based windows programmed into hundreds of other apps.

So, the words suvaline koodi täitmine above really stand for koodi kaugkäivitamine, or RCE.

Installjacking

Web-based RCE exploits generally give attackers a way to lure you to a booby-trapped website that looks entirely unexceptionable and unthreatening, while implanting malware invisibly simply as a side-effect of you viewing the site.

A web RCE typically doesn’t provoke any popups, warnings, download requests or any other visible signs that you are initiating any sort of risky behaviour, so there’s no point at which attacker needs catch you out or to trick you into taking the sort of online risk that you’d normally avoid.

That’s why this sort of attack is often referred to as a autoga allalaadimine või drive-by install.

Just looking at a website, which ought to be harmless, or opening an app that relies on web-based content for any of its pages (for example its splash screen or its help system), could be enough to infect your device.

Remember also that on Apple’s mobile devices, even non-Apple browsers such as Firefox, Chrome and Edge are compelled by Apple’s AppStore rules to stick to WebKit.

If you install Firefox (which has its own browser “engine” called Geko) or Edge (based on a underlying layer called Blink) on your Mac, those alternative browsers don’t use WebKit under the hood, and therefore won’t be vulnerable to WebKit bugs.

(Note that this doesn’t immunise you from security problems, given that Gecko and Blink may bring along their own additional bugs, and given that plenty of Mac software components use WebKit anyway, whether you steer clear of Safari or not.)

But on iPhones and iPads, all browsers, regardless of vendor, are required to use the operating system’s own WebKit substrate, so all of them, including Safari, are theoretically at risk when a WebKit bug shows up.

Mida teha?

If you have an Apple product on the list above, do an update check now.

That way, if you’ve already got the update, you’ll reassure yourself that you’re patched, but if your device hasn’t got to the front of the download queue yet (or you’ve got automatic updates turned off, either by accident or design), you’ll be offered the update right away.

On a Mac, it’s Apple menüü > Selle Maci kohta > Tarkvaravärskendus… ja iDevice'is on see Seaded > Üldine > tarkvara uuendus.

---

If your Apple product isn’t on the list, notably if you’re stuck back on iOS 15 or iOS 12, there’s nothing you can do right now, but we suggest keeping an eye on Apple’s HT201222 page in case your product is affected and does get an update in the next few days.

---

As you can imagine, given how strictly Apple locks down its mobile products to stop you using apps from anywhere but the App Store, over which it exerts complete commercial and technical control…

…bugs that allow rogues and crooks to inject unauthorised code onto Apple phones are highly sought after, given that RCEs are about the only reliable way for attackers to hit you up with malware, spyware or any other sort of cyberzombie programmeerimine.

Which gives us a good reason, as always, to say: Ärge viivitage / tehke seda täna.

---

• SEO-põhise sisu ja PR-levi. Võimenduge juba täna.
• Platoblockchain. Web3 metaversiooni intelligentsus. Täiustatud teadmised. Juurdepääs siia.
• Allikas: https://nakedsecurity.sophos.com/2023/02/14/apple-fixes-zero-day-spyware-implant-bug-patch-now/