High vulnerabilities in Apple iOS, Safari: CERT-In
The government-run cyber security agency tasked to deal with incidents of data breach has identified multiple vulnerabilities in Apple iOS, iPadOS and Apple Safari versions prior to 16.1.
The vulnerabilities in Apple iOS and iPadOS could allow a remote attacker to gain access to sensitive information, execute arbitrary code, spoofing of the interface address or denial of service conditions on the targeted system, Indian Computer Emergency Response Team (CERT-In) says in a statement.
The list of impacted devices include Apple iPhone 8 and later, iPad Pro Call models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.
A remote attacker could exploit these vulnerabilities by persuading the victim to open a specially crafted file or application, CERT-In says, while rating the vulnerabilities with a 'high' severity.
Successful exploitation of these vulnerabilities could allow the attacker to gain access to sensitive information, execute arbitrary code, spoofing of the interface address or denial of service conditions on the targeted system, it adds.
CERT-In urged users to apply appropriate software updates as mentioned in the Apple Security updates.
As per the report, these vulnerabilities exist due to improper security restrictions in AppleMobileFileIntegrity component, improper bounds check in Avevideoencoder component, improper validation in CrNetwork component, improper entitlement in core bluetooth component, improper memory handling in GPU drivers component, memory corruption issue in IOHIDFamily component, Use after free issue and race condition issue in IOKit component, improper memory handling and out-of-bounds write issue in kernel component, improper memory handling and race condition issue in PPP component, use after free issue, improper security restrictions and improper path validation in Sandbox component, improper UI handling, type confusion issue and logic issue in webkit component, use-after-free error in WebKit PDF component and improper input validation in mail component.
The cyber security watchdog has also reported multiple vulnerabilities in Apple Safari versions prior to 16.1, which could allow an attacker to spoof URLs, disclose sensitive information or execute arbitrary code on the target system. As a solution, Cert-In said users should apply appropriate patches as mentioned by Apple.
This comes months after CERT-In issued an advisory to Apple watch users in July, saying it contains "multiple vulnerabilities".
CERT-In had earlier reported multiple vulnerabilities in Google Chrome app for desktop and video conferencing platform Zoom.