Government warns macOS, iOS, ChromeOS users of severe security threats
What's the story
Users of macOS, iPadOS, iOS, and ChromeOS, beware, says the Indian government's Computer Emergency Response Team (CERT-In). Multiple high-severity vulnerabilities in these operating systems that could be exploited by remote attackers have been reported by CERT-In. The agency has recommended users of these operating systems to keep their devices updated to the latest versions. Mozilla Firefox browser has similar security flaws as well.
Context
Why does this story matter?
The CERT-In report about security flaws in some of the most popular operating systems is a worrying one. Apple and Google have already released updates for these flaws and updating your device's software to the latest version is a must. Concerted action by tech companies and agencies like CERT-In is necessary to protect sensitive user information.
Loophole
Attackers can execute arbitrary code if users visit malicious website
Users running macOS Catalina with a security patch prior to 2022-055 and Big Sur and Monterey versions before 11.6.8 and 12.5, respectively, are at risk. Similarly, iOS or iPadOS prior to 15.6 are also vulnerable. The vulnerabilities can be exploited by attackers remotely. If they persuade the user to visit a malicious website, they can execute an arbitrary code to bypass security restrictions.
Issues
Apple Watches are also vulnerable to attacks
As per the report, the macOS vulnerabilities are caused by out-of-bounds read in AppleScript, SMB and Kernel, out-of-bounds write in Audio, ICU, PS Normalizer, GPU Drivers, SMB, and WebKit. Along with that, authorizations issues in AppleMobileFileIntegrity, and information disclosure in the Calendar and iCloud Photo Library were found. Apple Watches running on watchOS version prior to 8.7 are also vulnerable, said CERT-In.
Flaws
Vulnerabilities in ChromeOS can be exploited by sending targeted request
The vulnerabilities on ChromeOS can be exploited by attackers to gain access to sensitive information. The flaws exist in ChromeOS LTS channel versions before 96.0.4664.215. Some of the reasons for the vulnerabilities are out-of-bounds in the compositing content, incorrect implementation in Extension API, and use-after-free error within the Blink XSLT component. Hackers can trigger these issues by sending a special request to targeted systems.
Information
Mozilla Firefox has issues similar to ChromeOS
The CERT-In has included Mozilla Firefox in the vulnerable list. Firefox versions older than 103, ESR versions older than 102.1 and 91.12 have security flaws. Similar to ChromeOS, hackers can use loopholes to gain access to sensitive information.