Although exploiting vulnerabilities in Apple developments is unusual, new security flaws are frequently reported, the scope of which, according to vulnerability testing specialists, varies depending on the affected product.
This time, the discovery of multiple vulnerabilities was reported in Xcode, Safari, iTunes for Windows, iOS, iPadOS and macOS, as well as the finding of two potentially critical flaws in tvOS and watchOS, operating systems of Apple Watch and Apple TV. According to the report, exploiting these vulnerabilities could allow arbitrary code execution.
Casual users may not be familiar with all of these products, so below is a review of the developments affected by these flaws:
- tvOS is the operating system of Apple TV media player
- watchOS is the mobile operating system for Apple Watch, based on the widely known iOS system
- Safari is the browser included in Apple developments
- The iPadOS system, specially designed for electronic tablets. It came to replace iOS 12
- macOS is the desktop operating system for Mac computers
As mentioned by vulnerability testing experts, exploiting critical flaws would lead to arbitrary code execution by a threat actor with the privileges of an authenticated user. Depending on the privileges associated with the target user, the hackers could even install third-party software, view or alter data on the system, and create new accounts with administrator privileges.
The full list of impacted operating systems includes:
- iOS prior to 13.3.1
- iPadOS prior to v13.3.1
- Safari prior to v13.0.5
- iTunes for Windows prior to v12.10.4
- macOS Catalina pre-10.15.3, Security Update 2020-001 Mojave and Security Update 2020-001 High Sierra
- tvOS prior to 13.3.1
- watchOS prior than 6.1.2
On average, the severity of these flaws is considered to range from high to moderate levels. Flaws can be present in industrial, domestic and commercial environments.
While no cases of exploitation have yet been reported in the wild, vulnerability testing specialists from the International Institute of Cyber Security (IICS) recommend that administrators of the affected systems remain alert to any update notices from Apple’s official platforms. Other security recommendations include:
- Running Apple software as an unprivileged user
- Avoid downloading, installing or running software or files from unknown sources
- Avoid browsing unreliable-looking websites or listed as malicious
- Implementation of the Minimum Privilege Principle in all systems and services
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.