Apple releases security updates for iOS, iPadOS and macOS, fixing two actively exploited zero-days

Apple has released security updates for iPhones, iPads and Macs to patch against two vulnerabilities, which the company says are being actively exploited to hack people.

The technology giant rolled out new software updates, iOS and iPadOS 17.1.2, and macOS 14.1.2, following a vulnerability disclosure by security researchers at Google’s Threat Analysis Group, which investigates government-backed cyberattacks.

In the updates rolled out Thursday, Apple said it fixed two vulnerabilities in WebKit, the browser engine that powers Safari and other apps. The vulnerabilities allow for hackers to remotely plant malicious code, such as spyware, on the person’s device over the internet. The bug is called a “zero-day” because the vendor is given no time, or zero days, to fix the vulnerability before it is actively exploited.

“Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1,” Apple said in its security advisories, referring to the iPhone software released on October 11.

Apple also rolled out an update to its browser, Safari 17.1.2, for users running older versions of macOS Monterey and macOS Ventura, the company said.

It’s not known who is exploiting these new zero-day vulnerabilities. Google has not yet attributed the exploitation to a particular malicious actor or government. Apple and Google did not provide further details of the vulnerabilities.

Earlier this week, Google patched its own zero-day vulnerability in Google Chrome, which the search giant said it was aware that an exploit for the vulnerability “exists in the wild.” Google security researcher Maddie Stone said in a post on X, formerly Twitter, that the Chrome bug was fixed within four days. Apple fixed the bug reported by Google’s researchers in just under a week.

Read more on TechCrunch:

Russian zero-day seller offers $20M for hacking Android and iPhones