‘Don’t put this off’: Apple issues urgent ‘zero-day alert’ for millions of users

Millions of Apple users have been urged “do not put this off” after the iphone maker issued an urgent “zero-day alert”.

Jai Bednall

@jaibednall

2 min read

December 2, 2023 - 7:50AM

iPhone users have been warned to make an urgent move. (Photo by Patrick T. Fallon / AFP)

Smartphone

Don't miss out on the headlines from Smartphone. Followed categories will be added to My News.

An urgent warning has been issued to users of Apple’s iphones, iPads and MacBooks after the global tech giant discovered “system vulnerabilities” and issued a “zero-day alert”.

Tech consultant Shelly Palmer explained to his email subscribers a “zero-day alert” is “geekspeak for system vulnerabilities serious enough to warrant a software update” and urged anyone with one of three Apple devices to immediately update.

“I just updated my iPhone, MacBooks, and iPads – you should, too,” Palmer wrote.

“For my geekiest readers: the identified vulnerabilities are particularly concerning because they affect WebKit, the rendering engine used for all third-party web browsers on iOS and iPadOS, including popular ones like Google Chrome, Mozilla Firefox, and Microsoft Edge. Apple’s restriction – “Apps that browse the web must use the appropriate WebKit framework and WebKit JavaScript” – makes Webkit a particularly inviting target.

“For normal people: Do not put this off. Go to the settings menu on all your Apple devices and update your software ASAP.

“You know the cliche: ‘Security is a lot like oxygen. You don’t miss it until it isn’t there’.”

Update your iPhone now.

Tech security website Securityaffairs.com explained the two vulnerabilities in more detail, saying the “flaws are actively exploited in attacks in the wild”.

Both relate to the WebKit browser engine. The first is an out-of-bounds read where users can be tricked into visiting “specially crafted web content to disclose sensitive information”.

The second is a memory corruption vulnerability where victims can be tricked into visiting “specially crafted web content to potentially execute arbitrary code on the impacted devices”.

A range of iPads were also impacted.

Apple addressed the first flag with improved input validation and the second with improved locking.

Securityaffairs.com revealed “Clément Lecigne of Google’s Threat Analysis Group discovered both vulnerabilities”.

“The fact that the issues were discovered by Google TAG suggests they were exploited by a nation-state actor or by a surveillance firm,” it said.

The release of iOS 17.1.2, iPadOS 17.1.2, macOS Sonoma 14.1.2, and Safari 17.1.2 addressed the flaws, which impacted iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, iPad mini 5th generation and Macs running macOS Monterey, Ventura and Sonoma.