Apple is urging millions of iPhone and iPad owners to update to iOS 16.5 immediately, rather than waiting for the automatic update procedure, after confirming that three zero-day security concerns may be actively exploited in real-world assaults.
What do we know about the security concerns to the iPhone and iPad?
Apple is well-known for making only the most basic technical details about security vulnerabilities fixed in any iOS version public, but the smartphone behemoth has revealed that three zero-day vulnerabilities are among the 39 resolved in this latest iOS update release.
All of these have an influence on WebKit and users of iPhone 8 and later, all models of iPad Pro, iPad Air 3rd generation and later, iPad 5th generation and later, and iPad Mini 5th generation and later. If you do the arithmetic, that means more than a billion users are potentially vulnerable to these zero-day vulnerabilities unless they update to 16.5 as soon as feasible.
Apple has confirmed three WebKit zero-days
The three flaws were all found in Apple’s WebKit browser engine, and the company said that it “is aware of a report that this issue may have been actively exploited.”
Specifically, these are
- CVE-2023-32409, which allows a remote attacker to escape the Web Content security sandbox.
- CVE-2023-28204, which may cause sensitive information to be disclosed when processing web pages.
- CVE-2023-32373, which might allow maliciously crafted web content to execute arbitrary code.
If An Attacker Successfully Exploits These Loopholes, Security Experts Warn Of Serious Consequences
According to Sean Wright, lead application security engineer at Featurespace, iOS 16.5 contains “another mixed bag of vulnerabilities, some with quite severe consequences if an attacker were able to successfully exploit them.” “By combining some of these vulnerabilities, an attacker may be able to remotely gain full control of a device,” Wright says.
However, Wright thinks that the most concerning vulnerabilities are these WebKit flaws, which are thought to be regularly exploited in the wild. “These are the ones that I would be concerned about,” Wright says. “I would strongly recommend that people update as soon as possible, but there’s no reason to panic about these vulnerabilities.” They will most likely target high-profile users such as the media, politicians, and so on.”
It’s important to get the 16.5 iOS update as soon as possible since it fixes 39 security vulnerabilities, including three that have been exploited in the wild. However, it’s not the only iOS update available. The initial betas of iOS 16.6 and iPad OS 16.6 have also been made available by Apple via the Apple Developer Programme channel.
Although there wasn’t much information accessible right away, information has eventually started to slip out. Additionally, it’s fantastic news for privacy and security. The long-awaited Contact Key Verification feature for iMessage is now starting to seem like it may materialise, according to Apple Insider.
Apple has stated that it will be accessible “at some point” this year, albeit exactly when is unknown.
What does iMessage’s Contact Key Verification do? The iMessage Contact Key Verification function’s stated purpose is to safeguard high-value, high-risk users from the types of hostile actors—including well-funded, state-sponsored ones—who are most likely to attack them. Simply put, the capability makes it possible to confirm that message is just between the sender and intended recipient, free from any outside eavesdropping, in addition to the current iMessage end-to-end encryption. According to the Apple Insider story, users would be informed “if a state-sponsored attacker were to somehow succeed in breaching cloud servers or to otherwise find a way to monitor encrypted communications,” if both parties had Contact Key Verification activated.
Why you must immediately update to iOS 16.5
Therefore, even if there is no need to panic in this situation, you should upgrade your iPhone or iPad to iOS 16.5 as soon as you can. However, not everyone will discover that the iOS automated update procedure takes care of this for them as they sleep tonight. In fact, one security researcher who is regarded as a friend of the Straight Talking Cyber team here at Forbes claims that none of the several iPhone models he uses for his vulnerability and exploit testing work have ever worked with automatic updates. In fact, consumers are recommended to utilise the manual update method instead because these automated upgrades go out area by region. You may initiate the update process by going to Settings|General|Software Update.
Also Check Out How To Enable and Disable AOD