Apple Patches Critical Zero-Click Vulnerability, Urges Users to Update Devices
2 Sources
2 Sources
[1]
Apple patches zero-click exploit threatening crypto users
Apple is urging users to immediately update their devices to patch a zero-click vulnerability that allowed attackers to compromise iPhones, iPads and Macs, a flaw posing heightened risks for cryptocurrency holders. In a Thursday advisory, Apple said the image processing vulnerability allowed sophisticated actors to compromise Apple devices. The vulnerability disclosure page notes that it was fixed as part of the macOS Sonoma 14.7.8, macOS Ventura 13.7.8, iPadOS 17.7.10, macOS Sequoia 15.6.1, iOS 18.6.2 and iPadOS 18.6.2 updates. "Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals," the company said. Cybersecurity experts warned the flaw is particularly dangerous for those in crypto, since they are significantly more exposed to cyberattacks. Access to crypto-integrated systems directly leads to financial gains through irreversible transactions for the attacker, resulting in highly motivated actors targeting this category. Juliano Rizzo, founder and CEO at cybersecurity firm Coinspect, told Cointelegraph that this is a zero-click vulnerability that does not require user interaction and "an attachment delivered via iMessage can be processed automatically and lead to device compromise." Attackers could potentially leverage access to the device to reach wallet data. Related: Bitcoiner loses $91M in social engineering attack: ZachXBT The vulnerability affects Apple's Image I/O framework, which allows applications to read and write most image file formats. Due to improper implementation, processing a malicious image allows for out-of-bounds memory write access. In other words, attackers can leverage this vulnerability to write to areas of a device's memory that should be inaccessible. Such an issue, in the hands of a particularly sophisticated attacker, can compromise device security by allowing attackers to execute code on targeted devices. A device's memory holds all the programs currently being executed, including critical ones. Being able to write to memory outside the authorized scope allows attackers to alter how other programs operate and execute their own instructions. Related: Ethereum core dev's crypto wallet drained by malicious AI extension Rizzo advised high-value targets who used vulnerable devices for key storage or signing to migrate to new wallet keys if there is any sign of compromise or "if there's any evidence of targeting" on the device storing the credentials: "The exact steps depend on the attack specifics, but the key is to stay calm, document a clear plan, and start by securing primary accounts (email, cloud) that attackers could exploit for password resets or further access. Patching is critical, but waiting for updates to finish should never delay immediate account lockdown." For average individuals, Rizzo noted that "checking system logs could in theory show anomalies, but in practice this data is hard to interpret." He said that vendors like Apple are well-positioned to detect exploitation and contact victims directly. Magazine: Coinbase hack shows the law probably won't protect you: Here's why
[2]
Is Apple failing to protect users? Zero-Click vulnerability puts iPhones, iPads, Macs and Crypto wallets at risk
Apple software update: Apple devices were at threat as a critical security vulnerability would have allowed hackers to gain control of iPhones, iPads, and Macs without users even clicking a link, as per a report. However, the tech giant has issued an alert to Apple users, urging them to update their devices to address the zero-click vulnerability, which could have been direct threat to crypto users, as per The Street report. The main issue was releated to the way Apple devices process images, which led to a dangerous opening for attackers to get access and steal sensitive data, like cryptocurrency wallets, according to a Tip Ranks report. The bug was found in the Apple's Image I/O framework, which lets applications to handle a wide range of image file types, as per the report. By exploiting this vulnerability, attackers had the potential to trigger memory corruption through a maliciously crafted image file, that could enable arbitrary code execution without any user interaction, as reported by AInvest. ALSO READ: Are Apple, OpenAI, Google, Meta, and Amazon plotting to take down state AI regulations? This vulnerability is more worrying for cryptocurrency users, as it could let attackers access sensitive information like wallet keys and login credentials, according to the repirt. What makes it so dangerous is that it's a zero-click exploit, that means a user does not have to tap, open, or download anything, just receiving a malicious image through iMessage or another messaging app could be enough for the attack to happen, completely bypassing normal security protections, as reported by AInvest. Security experts explained that risk was high for crypto holders because unlike stolen credit cards or bank details, stolen digital assets cannot be reversed once they are transferred, which makes cryptocurrency users prime targets, as per the Tip Ranks report. CEO of cybersecurity firm Coinspect, Juliano Rizzo, explained how the attack worked, saying, "This is a zero-click vulnerability that does not require user interaction, and an attachment delivered via iMessage can be processed automatically and lead to device compromise," as quoted by Tip Ranks. ALSO READ: After Microsoft and Intel, now Cisco to layoff staff in its Bay Area office - here are the departments affected The tech giant said in an advisory on Thursday that the issue had been fixed in the the firm's latest software updates across its ecosyste, including, iOS, iPadOS, and macOS, as per the report. Apple has fixed the issue by releasing iOS 18.6.2, iPadOS 18.6.2, and corresponding updates for macOS systems, as reported by AInvest. While Apple did not disclosed the identities of the attackers or the full scope of the breach, but warned that the bug had already been linked to "an extremely sophisticated attack against specific targeted individuals," as per the AInvest report. Apple also advised its users to update their devices immediately through the Software Update section in their device settings to mitigate the risk, according to the report. ALSO READ: DeepSeek unveils GPT-5 challenger -- cheaper, faster, and built for China's chips What is a zero-click vulnerability? It's a security flaw that doesn't require the user to click or do anything, attackers can exploit it just by sending a malicious file, like an image, as per the AInvest report. Has Apple fixed the issue? Yes, Apple has released updates to patch the vulnerability across iOS, iPadOS, and macOS, as per the AInvest report
Share
Copy Link
Apple has released urgent security updates to fix a zero-click vulnerability in its devices, which posed a significant threat to users, especially those holding cryptocurrencies.
Critical Vulnerability Discovery and Apple's Response
Apple has issued an urgent advisory to users, urging them to update their devices immediately to address a critical zero-click vulnerability. This security flaw, discovered in Apple's Image I/O framework, allowed sophisticated attackers to compromise iPhones, iPads, and Macs without any user interaction 1. The vulnerability was particularly dangerous as it could be exploited through automatic processing of malicious image attachments sent via iMessage or other messaging apps 2.
Source: Economic Times
Technical Details of the Vulnerability
The flaw in Apple's Image I/O framework, which allows applications to read and write most image file formats, was due to improper implementation. This vulnerability enabled attackers to write to areas of a device's memory that should be inaccessible, potentially allowing them to execute arbitrary code on targeted devices 1. Juliano Rizzo, CEO of cybersecurity firm Coinspect, explained that the vulnerability did not require user interaction, making it exceptionally dangerous 12.
Heightened Risk for Cryptocurrency Users
Cybersecurity experts warned that this vulnerability posed a particularly significant threat to cryptocurrency holders. The potential for attackers to gain access to crypto-integrated systems could lead to direct financial losses through irreversible transactions 1. Unlike stolen credit cards or bank details, stolen digital assets cannot be reversed once transferred, making cryptocurrency users prime targets for such sophisticated attacks 2.
Apple's Security Update and Recommendations
Apple has addressed the vulnerability by releasing security updates across its ecosystem:
The company strongly recommends that all users update their devices immediately through the Software Update section in their device settings to mitigate the risk 2.
Implications and Expert Advice
While Apple has not disclosed the full scope of the breach or the identities of the attackers, they acknowledged that the issue "may have been exploited in an extremely sophisticated attack against specific targeted individuals" 12. Rizzo advised high-value targets who used vulnerable devices for key storage or signing to consider migrating to new wallet keys if there's any sign of compromise or evidence of targeting 1.
For average users, detecting exploitation through system logs is challenging. However, Rizzo noted that vendors like Apple are well-positioned to detect exploitation and contact victims directly 1.
Broader Context and Future Concerns
This incident highlights the ongoing challenges in cybersecurity, particularly for users of high-value digital assets like cryptocurrencies. As attackers become more sophisticated, the importance of prompt software updates and robust security practices becomes increasingly critical. The zero-click nature of this vulnerability underscores the need for constant vigilance and proactive security measures, even for users of traditionally secure platforms like Apple's ecosystem.
NVIDIA's Next-Gen 'Rubin' AI Architecture: A Revolutionary Leap in Compute Technology
NVIDIA CEO Jensen Huang confirms the development of the company's most advanced AI architecture, 'Rubin', with six new chips currently in trial production at TSMC.
2 Sources
Technology
19 hrs ago
2 Sources
Technology
19 hrs ago
Databricks Acquires Tecton to Enhance AI Agent Capabilities
Databricks, a leading data and AI company, is set to acquire machine learning startup Tecton to bolster its AI agent offerings. This strategic move aims to improve real-time data processing and expand Databricks' suite of AI tools for enterprise customers.
3 Sources
Technology
19 hrs ago
3 Sources
Technology
19 hrs ago
Google Offers Free Weekend Access to Gemini's Veo 3 AI Video Generation Tool
Google is providing free users of its Gemini app temporary access to the Veo 3 AI video generation tool, typically reserved for paying subscribers, for a limited time this weekend.
3 Sources
Technology
10 hrs ago
3 Sources
Technology
10 hrs ago
Broadcom Rides AI Wave: Stock Surges Amid Tech Giants' Infrastructure Investments
Broadcom's stock rises as the company capitalizes on the AI boom, driven by massive investments from tech giants in data infrastructure. The chipmaker faces both opportunities and challenges in this rapidly evolving landscape.
2 Sources
Technology
19 hrs ago
2 Sources
Technology
19 hrs ago
Apple Expands Enterprise AI Support with New ChatGPT Configuration Options and Beyond
Apple is set to introduce new enterprise-focused AI tools, including ChatGPT configuration options and potential support for other AI providers, as part of its upcoming software updates.
2 Sources
Technology
19 hrs ago
2 Sources
Technology
19 hrs ago
Your Daily Dose of Curated AI News
Don’t drown in AI news. We cut through the noise - filtering, ranking and summarizing the most important AI news, breakthroughs and research daily. Spend less time searching for the latest in AI and get straight to action.
