The Computer Emergency Response Team (CERT-in) Advisory from January 31, alerts Indian users of Apple products to potential security risks. Updates for devices, such as the iPhone, iPad, and MacBook, are desperately needed to address security flaws and stop ransomware attempts, illegal access, and data theft. Due to security flaws found in certain software versions, attackers may be able to access private data, run arbitrary code, get around security measures, and escalate their privileges on the systems they target.
The consequences of this security risk is widespread, affecting Apple devices dating right back to the iPhone 6 series, iPad Air 2, and even the iPod Touch 7th generation model. With the attackers capable of hacking into devices, users are advised to take action right away to safeguard their data and personal content.
Users who are impacted are advised by CERT-In to upgrade their Apple devices to the most recent versions as soon as possible. Users may reduce the risk that the discovered vulnerabilities in security offer by installing the most recent updates. For customers whose devices are restricted to the listed software versions, the agency suggests thinking about a switch to more recent devices for enhanced security.
Other vulnerabilities of a lesser severity are
- A device’s Wi-Fi MAC address can be used for passive tracking.
- Sometimes a gadget just won’t lock.
- Voice-over may read aloud a user’s password.
- When resolving symlinks, a website could be able to access private user information.
- It’s possible for a website to access the microphone even when the microphone use indication isn’t displayed.
- User data that is secured could be accessible to an app.
- It’s possible for an app to obtain private user information.
- Endpoint Security clients might experience a denial-of-service attack from an app.
- It is possible for an app to induce a denial-of-service.
- It’s possible for an app to read private location data.
- Private data could be accessible to an app that has root access.
- Passkeys may be accessible to an attacker without the need for authentication.
One can do the following actions:
After conducting the necessary tests, immediately apply Apple’s stable channel update to all susceptible computers.
- For enterprise assets, document and uphold a vulnerability management process. Every year or whenever there are substantial enterprise changes that could affect this Safeguard, review and update the documentation.
- Conduct Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Employ a vulnerability scanning technology that complies with SCAP to conduct automated vulnerability scans of externally-exposed enterprise assets. Run scans once a month, or more often if necessary.
- Control pre-configured vendor accounts, administrator, and root accounts, among other default accounts, on software and corporate assets. Examples of implementations include rendering default accounts inoperable or disabled.
- Stop unwanted file types from trying to get via the email gateway of the company.
- Use technological controls to make sure that only approved software may run or be accessible, such as application allowlisting. Every two years, or more often, reevaluate.
Information regarding Apple Security updates can be viewed below.