Apple released security updates on Tuesday that it says are “recommended for all users,” after fixing a pair of security bugs used in active cyberattacks targeting Mac users.
In a security advisory on its website, Apple said it was aware of two vulnerabilities that “may have been actively exploited on Intel-based Mac systems.” The bugs are considered “zero day” vulnerabilities because they were unknown to Apple at the time they were exploited.
To fix the bugs, Apple released a software update for macOS, as well as fixes for iPhones and iPads, including users running the older iOS 17 software.
It’s not yet known who is behind the attacks targeting Mac users, or how many Mac users have been targeted — or if any were successfully compromised. The vulnerabilities were reported by security researchers at Google’s Threat Analysis Group, which investigates government-backed hacking and cyberattacks, suggesting that a government actor may be involved in the attacks. Government-backed cyberattacks sometimes involve the use of commercial phone spyware.
As for the bugs themselves, Apple said the vulnerabilities relate to WebKit and JavaScriptCore, the web engines that power the Safari browser and for running web content. WebKit is a frequent target of malicious hackers, who target the engine for vulnerabilities as a way to break into the device’s wider software and tap into the user’s private data.
The security advisory says the bugs can be exploited by tricking vulnerable Apple devices into processing maliciously crafted web content, such as a website or email, to trigger arbitrary code execution, which can allow the planting of malware on a target’s device.
Users should update their iPhones, iPads, and Macs as soon as possible.
Apple did not comment when contacted by TechCrunch on Tuesday.
Zack Whittaker is the security editor at TechCrunch. You can send tips securely via Signal and WhatsApp to +1 646-755-8849. He can also be reached by email at zack.whittaker@techcrunch.com. You can also submit files and documents securely via SecureDrop.
Subscribe for the industry’s biggest tech news