Apple has released emergency security patches for its core products just days after rolling out brand new versions of their operating systems.
On Thursday, the company updated iOS 17/iPadOS 17 and WatchOS 10 with fixes aimed at squashing several zero-day vulnerabilities that could leave a device open to malicious attacks. On its support pages for the iOS/iPadOS updates and the WatchOS update, Apple revealed that the vulnerabilities may have been actively exploited on versions prior to iOS 16.7.
iPhone, iPad, and Apple Watch owners are urged to update their devices with this latest round of security fixes. On your iPhone or iPad, go to Settings, select General, tap Software Updates, and then tap the Update Now button. For an Apple Watch, open the Watch app on your phone. At the My Watch tab, head to General, select Software Update, and install the latest update.
Owners of the new iPhone 15 will find iOS 17.0.2 waiting. Users of older iPhones will jump to iOS 17.0.1. And Apple Watch wearers will install WatchOS 10.0.1.
On its support page for iOS 17.0.1, Apple listed three separate bug fixes.
Describing the first update aimed at the OS kernel, Apple said that “a local attacker may be able to elevate their privileges.” Labeling the second fix Security, Apple revealed that “a malicious app may be able to bypass signature validation.” And noting that the third update is related to WebKit, Apple said that “processing web content may lead to arbitrary code execution.”
The support page for WatchOS 10.0.1 listed the same Kernel and Security issues and bug fixes.
Apple didn’t disclose specific details about the security vulnerabilities. But the company did give credit for discovering the bugs to Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group. Both The Citizen Lab and Google’s Threat Analysis Group have a history of uncovering security exploits related to spyware that can monitor and even control devices remotely.
Earlier this month, Apple issued last-minute emergency patches for iOS 16/iPadOS 16, WatchOS 9.7, and MacOS Ventura 13.5. The company credited The Citizen Lab for finding the bugs, which itself revealed that these zero-click vulnerabilities were being used to deliver NSO Group’s infamous Pegasus spyware.
Targeting government officials, political activists, and journalists, Pegasus is capable of remotely accessing a device to collect data, monitor chats and email exchanges, and spy on users through the device’s camera and microphone.