New vulnerabilities from Apple could allow hackers to take control of your Mac devices. Apple has already patched some of the vulnerabilities. Experts say you should keep your software up to date and don’t trust unknown devices.
d3sign / Getty Images
Your Mac and iOS devices may not be as secure as you think.
Cybersecurity company Trellix recently announced its discovery of new, significant bugs on iOS and macOS. According to reports, Apple tried to fix the bugs. But the new research has raised the possibility that malicious actors could bypass security features on some Apple devices.
“Hackers are moving faster than ever, and individuals and organizations need to regularly update their software or risk being the victim of a cyberattack,” Andrew Obadiaru, Cobalt.io’s chief information security officer, said in an email interview with Lifewire .
Apple has long been known as a company that takes security seriously. Still, potentially dangerous bugs occasionally creep into the company’s software. The Trellix Advanced Research Center vulnerability team said it discovered a major new class of flaws that allow bypassing a security measure known as code signing to perform unauthorized actions on both macOS and iOS.
Oscar Wong/Getty Images
“These issues could be used by malicious applications and exploits to gain access to sensitive information such as a user’s messages, location data, call history, and photos,” wrote Austin Emmitt, a security researcher at Trellix, on the company’s blog.
Chris Bluvshtein, privacy expert at VPNOverview.com, said in an email to Lifewire that Apple has strict restrictions on running software on devices. On the other hand, Android allows third-party apps to be downloaded, which is why Android malware is more common. The new vulnerabilities are known as “zero-click,” meaning you don’t have to click on them to cause problems.
The vulnerabilities bypass the fact that part of Apple’s security measures is that all apps are signed with an Apple developer certificate. Apps are also limited in what they can do – effectively staying in their sandbox. It makes it difficult for hackers to introduce malicious code that can exploit operating system software or access other unauthorized apps or services on the phone or computer.
The newly discovered vulnerabilities allow attackers to bypass this cryptographic signature process and run malicious code from its shielded security sandbox. “What’s worrying is that these are zero-click exploits — victims don’t even have to click a link to be affected,” Bluvshtein said.
According to Bluvshtein, the issue first surfaced in September 2021 and was patched by Apple, but related vulnerabilities using the same approach are still being discovered. The current macOS software (macOS Ventura 13.2.1) does not contain fixes for these two vulnerabilities. Apple is aware of the potential exploits, but right now even devices running the latest macOS could be at risk.
“Unfortunately, even if you follow the advice above, it’s nearly impossible to defend against zero-click exploits,” Bluvshtein said. “That’s why they’re often used against high-profile targets and even by government intelligence agencies to monitor targets.”
However, don’t worry too much about the errors. “The disclosed vulnerabilities, while notable, demonstrate the importance of layered defenses in maintaining a good security posture,” Michael Covington, vice president of portfolio strategy at Apple-device-focused technology company Jamf, said in an email to Lebensdraht. “And Apple’s response also shows how important vendor responsiveness is to the process.”
Even though Apple is expected to patch the newly discovered vulnerabilities soon, experts say users should take precautions to keep their devices safe.
The disclosed vulnerabilities, while notable, demonstrate the importance of layered defenses in maintaining a good security posture.
Use only trusted apps from the App Store, Bluvshtein said. “While you can’t install custom apps from elsewhere, there have been historical examples of apps collecting more data than they should or performing malicious actions,” he added.
Bluvshtein said that you shouldn’t trust unknown devices when connecting your phone.
“Your iPhone will ask you if you want to trust a computer when you connect via USB,” he added. “Better yet, don’t plug your phone in at all unless it’s your own computer.”
Also, heed the pervasive advice not to click on links or even open messages from unknown senders if you don’t know who sent them and for what purpose. “Just delete them,” Bluvshtein said.
Make sure your Apple devices are up to date with the latest operating system software available, Bluvshtein suggests. Turn on automatic downloads to make sure you don’t miss security updates.
“For everyday users, these types of attacks are probably not common, and security researchers are constantly working to find them before hackers do,” Bluvshtein said. “So monitor your devices for security patches and install them as soon as they land.”
Thanks for letting us know!
Get the latest tech news every day
Tell us why!
Miscellaneous Not enough detail Difficult to understand