Apple confirmed Monday its devices were left vulnerable to an exploit that allowed for remote malicious code execution through web-based JavaScript, opening up an attack vector that could have part unsuspecting victims from their crypto.
According to a recent Apple security disclosure, users must use the latest versions of its JavaScriptCore and WebKit software to patch the vulnerability.
The bug, discovered by researchers at Google's threat analysis group, allows for “processing maliciously crafted web content,” which could lead to a “cross-site scripting attack.”
More alarmingly, Apple also admitted it “is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.”
Apple also issued a similar security disclosure for iPhone and iPad users. Here, it says, the JavaScriptCore vulnerability allowed for “processing maliciously crafted web content may lead to arbitrary code execution.”
Apple Intelligence Is Finally Here and Reviewers Are Not Impressed
Apple has finally begun rolling out updates to its AI-powered suite of tools for iOS, iPadOS, and macOS, the company said on Monday. While the world’s biggest consumer tech company touted its latest enhancements, reviews of Apple Intelligence have been underwhelming. The AI experience, “in its current form, is quite flat,” said Wired's senior reviews editor Julian Chokkattu. Ina Fried, chief technology correspondent at Axios, said the preliminary release offered “only modest improvements that le...
In other words, Apple became aware of a security flaw that could let hackers take control of a user’s iPhone or iPad if they visit a harmful website. An update should solve the issue, Apple said.
Jeremiah O’Connor, CTO and co-founder of crypto cybersecurity firm Trugard, told Decrypt that “attackers could access sensitive data like private keys or passwords” stored in their browser, enabling crypto theft if the user’s device remained unpatched.
Revelations of the vulnerability within the crypto community began circulating on social media on Wednesday, with former Binance CEO Changpeng Zhao raising the alarm in a tweet advising that users of Macbooks with Intel CPUs should update as soon as possible.
If you use a Macbook with Intel based chip, update asap!
Stay SAFU!https://t.co/mk2Jsicnte
— CZ 🔶 BNB (@cz_binance) November 20, 2024
The development follows March reports that security researchers have discovered a vulnerability in Apple's previous generation chips—its M1, M2, and M3 series that could let hackers steal cryptographic keys.
The exploit, which isn’t new, leverages “prefetching,” a process used by Apple’s own M-series chips to speed up interactions with the company’s devices. Prefetching can be exploited to store sensible data in the processor’s cache and then access it to reconstruct a cryptographic key that is supposed to be inaccessible.
Unfortunately, ArsTechnica reports that this is a significant issue for Apple users since a chip-level vulnerability can not be solved through a software update.
A potential workaround can alleviate the problem, but those trade performance for security.
Edited by Stacy Elliott and Sebastian Sinclair