Apple issues security update after discovering a flaw that could let hackers take over iPhones
>
If you’re using an iPhone, you’ll want to install the latest software update as soon as possible, as your device could be vulnerable to attack.
Apple has rolled out iOS 16.4.1 to all compatible handsets, including the iPhone 8 and newer models.
The update fixes two vulnerabilities that appeared in the previous software, iOS 16.4, which was released late last month.
These were also visible in the older versions of Mac and iPad software, so Apple released updates for macOS Ventura 13.3.1 and iPadOS 16.4.1.
According to Apple, both vulnerabilities could have allowed hackers to infiltrate the device and “execute arbitrary code.”
If you’re using an iPhone, you’ll want to install the latest software update as soon as possible, as your device could be vulnerable to attack (stock image)
Apple rolled out iOS 16.4.1 to all compatible handsets on Friday, including the iPhone 8 and later models. This fixes two vulnerabilities that appeared in the previous software, iOS 16.4, which was released late last month
This means that they can run any code they want on a targeted device without the owner’s knowledge.
This code allows them to access private data, gain control over the functionality of the device, and install malware.
It could even allow them to take control of other devices connected to the network or internet the original was connected to.
The vulnerabilities, named CVE-2023-28206 and CVE-2023-28205, are so-called “zero-day” flaws, meaning they were unknown to Apple when the software was deployed.
It also means that devices running that software were vulnerable to attack, as the tech giant had not released a patch or security update to fix it.
Apple said it is aware that both CVE-2023-28206 and CVE-2023-28205 “may have been actively exploited” prior to the release of iOS 16.4.1, macOS Ventura 13.3.1, and iPadOS 16.4.1.
CVE-2023-28206 was an out-of-bounds write issue within the IOSurfaceAccelerator, a component of the software that manages pixel data.
This means that part of the memory was storing too much data and therefore started storing it in the wrong place, which can cause problems.
The flaws were discovered by Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab
CVE-2023-28205 was a use after free issue within the WebKit web browser engine.
This means that a program is trying to use or access something it once stored in memory, but has already been released.
The flaws were discovered by Clément Lecigne of Google’s Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International’s Security Lab.
According to BleepingComputer, these research groups are typically used by Apple to search for government-sponsored threat actors.
Therefore, these would likely only be exploited in the event of “highly targeted attacks” by politicians, journalists and high-risk individuals.
Both of these issues are fixed with the iOS 16.4.1 update, as well as bugs that caused Siri to not respond to commands and prevented skin tone variation options for the shoving hands emoji.
The latest software update, iOS 16.4, came with a range of new features, including the addition of 21 new emoji to the keyboard.
This includes the long-awaited pink heart icon, as well as a shaking face (“I’m shook”), a moose, stem ginger, the Wi-Fi symbol, and a pair of maracas.
Software updates from Apple don’t always go smoothly, which explains why some are hesitant to launch them when they are offered.
Some of those who updated to iOS 16.4 complained that a system bug drains their device’s battery quickly.
Last week, iPhone users around the world were unable to access live forecasts on the Apple Weather app, which some also linked to their new operating system.