Apple has released an emergency security update to protect users against two zero-day security vulnerabilities it believes have already been exploited. If nothing else, Apple’s most recent emergency security update should be considered proof of an increasingly tense security environment. Enterprises must understand that while Apple maintains a pretty solid ecosystem — certainly at present the most secure, even according to Cisco — that doesn’t mean it’s entirely safe, and every Apple customer needs to get wise to the growing proliferation of threats. With more and more business users turning to the company’s solutions, it’s important to get ahead of the threat. What is the current threat environment? The latest Orange Cyberdefense Security Navigator Report claims a global 46% surge in cyber-extortion attacks across the last year — and warns that just over a third (37.45%) of detected incidents originated from internal actors, not all of these by accident. With employees and trusted insiders remaining the soft vulnerable point for a third of attacks, it’s essential every business and every user spend time learning about the best approach to online security. The Orange report points out that attacks are taking place at strategic points in the supply chain. It warns that larger enterprises are the most targeted entities, and points to a surge in attacks against the manufacturing sector. Ransomware, it seems, has become so prevalent that some of the more organized groups now host help desks targets can contact for assistance — and to arrange payment and data recovery. Weaponizing WebKit Keep these findings in mind as you consider Apple’s latest emergency security updates. Released at the end of November, these address two zero-day vulnerabilities (CVE-2023-42916 and CVE-2023-42917) that have been exploited by hackers to access sensitive information on Apple devices and/or to execute arbitrary code by using malicious webpages to take advantage of a memory corruption bug. Michael Covington, vice president of portfolio strategy at Jamf, explained: “These latest OS updates, which address bugs in Apple’s WebKit, show that attackers continue to focus on exploiting the framework that downloads and presents web-based content. The latest bugs could lead to both data leakage and arbitrary code execution and appear to be tied to targeted attacks that are common against high-risk users.” It’s quite natural that WebKit has become a prime attack target against Apple’s devices. Can it get worse? Probably That’s inevitable as the company at present won’t support other browser engines, meaning that even non-Apple browsers make use of WebKit. This might change as regulators seem insistent on forcing Apple to open up, though when it does, it will allow criminals to try multiple web engines and app stores to crack their way into Apple’s devices. We’ll see how that goes. Security researchers, meanwhile, continue to kick WebKit around in their attempt to find vulnerabilities before the bad guys do, and hopefully get an Apple security bounty payment for their trouble. But the fact that WebKit is such a popular attack vector should really inform every Apple user as to how they are being attacked — think dodgy web links in messages and emails, finely crafted phishing sites, and offers that are too good to be true on sites you don’t entirely trust. Those are the vectors being used. Just update all the things In this environment, a relatively recent survey from Qualys is all the more frightening; it claimed over half the Macs in use today might not yet have installed the latest security software upgrades. That really has to change (and Apple knows it). At the same time, battle is joined. The industry is keenly aware of the nature of the attacks taking place, but everyone can play their part. Update your devices swiftly. “Though these patches validate that Apple devices are not immune to cyber threats, the patching process is helping to reduce the attack surface,” said Covington. You don’t want to be an easy target now, do you? Patch today. Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe. Related content how-to How to fix iCloud sync in seconds Here's what to do when your contacts or calendar events don't sync between devices. By Jonny Evans Apr 23, 2024 7 mins iCloud Apple Cloud Storage news analysis Chasing business and partnerships, Apple goes APAC Apple CEO Tim Cook’s week-long visit to Indonesia, Vietnam, and Singapore highlights how the company continues to explore new opportunities in global markets. By Jonny Evans Apr 19, 2024 4 mins Manufacturing Industry Apple Vendors and Providers analysis Apple wants to improve the carbon offset market Apple's just-published annual environmental report detailing its progress towards carbon neutrality shows the company is working hard to be transparent about its efforts. By Jonny Evans Apr 18, 2024 6 mins Technology Industry Apple Green IT news analysis Apple sidles into sideloading in the EU EU users get ready for multiple app stores By Jonny Evans Apr 17, 2024 6 mins Apple App Store Apple iOS Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe