Apple has swiftly issued critical security patches for its primary products shortly after launching fresh iterations of their operating systems. On Thursday, the company released updates for iOS 17/iPadOS 17 and WatchOS 10, designed to address various zero-day vulnerabilities that had the potential to expose devices to malicious attacks.
In the support documentation for these updates, Apple disclosed that these vulnerabilities might have already been used for malicious purposes on versions preceding iOS 16.7. Owners of iPhones, iPads, and Apple Watches are strongly advised to apply the most recent security updates to their devices. To do so on your iPhone or iPad, navigate to Settings, choose General, tap on Software Updates, and then select the Update Now option. If you own an Apple Watch, you can update it by opening the Watch app on your paired iPhone, going to the My Watch tab, selecting General, then choosing Software Update, and finally installing the latest update.
The latest update, iOS 17.0.2, is available for owners of the new iPhone 15, while users with older iPhones will receive iOS 17.0.1. Apple Watch users should install WatchOS 10.0.1. Regarding the first update targeting the OS kernel, Apple mentioned that it addresses a potential privilege elevation by a local attacker. The second fix, labeled as Security, addresses the issue of a malicious app bypassing signature validation.
The third update, related to WebKit, addresses a vulnerability where processing web content could lead to arbitrary code execution. Although Apple did not provide specific details about these security vulnerabilities, credit for discovering them goes to Bill Marczak from The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone from Google’s Threat Analysis Group. Both organizations have a track record of uncovering security exploits related to spyware capable of remote device monitoring and control.
Earlier this month, Apple issued emergency patches for iOS 16/iPadOS 16, WatchOS 9.7, and MacOS Ventura 13.5. The vulnerabilities were discovered by The Citizen Lab, which revealed that these zero-click vulnerabilities were being used to deploy the notorious Pegasus spyware developed by the NSO Group. Pegasus is known for targeting government officials, political activists, and journalists, allowing remote access to devices for data collection, monitoring chats and emails, and spying through the device’s camera and microphone.
