August 13, 2022
CERT-In detects high-severity threats in iPhone, iPad, Mac, ChromeOS and Firefox browsers

The Indian Computer Emergency Response Team (CERT-In) appointed by the Ministry of Electronics and Information Technology has found several vulnerabilities of high severity in iOS, iPadOS and macOS, in Apple as well as in Google’s ChromeOS and Mozilla’s Firefox internet browsers. iOS is an operating system for iPhone models, iPadOS runs on iPad models, and macOS powers Mac machines. According to the nodal agency, these vulnerabilities can be used to circumvent security restrictions and cause denial-of-service (DoS) attacks to render devices unusable.

Mac machines running macOS Catalina with security updates prior to 2022-005, macOS Big Sur versions prior to 11.6.8, and macOS Monterey versions prior to 12.5 are at risk, According to CERT-in. Vulnerabilities in macOS versions as well as iOS and iPadOS can be exploited by a remote attacker by persuading a victim to visit a malicious website. Cybercriminals can execute arbitrary code, bypass security restrictions and create DoS conditions on the target system.

macOS vulnerabilities exist due to out-of-bounds reads in AppleScript, SMB, and the kernel, out-of-bounds writes to audio, ICU, PS Normalizer, GU Drivers, SMB, and WebKit. AppleMobileFileIntegrity has detected authorization issues; Information disclosure in Calendar and iCloud Photo Library.

similar weaknesses have been found In iOS and iPadOS versions prior to 15.6. MacOS vulnerabilities exist due to out-of-bounds writes in audio, ICU, GPU drivers, and WebKit, out-of-bounds reads in ImageIO and the kernel, authorization problems found in AppleMobileFileIntegration; Information disclosure in Calendar and iCloud Photo Library, among others.

In mozilla firefox case, versions before 103, ESR versions before 102.1 and 91.12 have been found to be vulnerable. Vulnerabilities exist due to memory protection bugs within the browser engine, preload cache bypassing sub-resource integrity, leakage of cross-site resource redirection information when using the display API, among others. These flaws can give an attacker access to sensitive information on the target system.

Vulnerabilities in Google ChromeOS pose a very similar threat to Firefox. Vulnerabilities exist in Google ChromeOS LTS channel versions prior to 96.0.4664.215, because of out-of-bounds reading in the compositing component, incorrect implementation in the Extensions API, a use-after-free error within the Blink XSLT component, among others.

CERT-In says these vulnerabilities can be fixed by installing software updates. Users of these operating systems and Mozilla Firefox are advised to install software patches as soon as possible.

Leave a Reply

Your email address will not be published.