Apple confirmed Monday its devices were left vulnerable to an exploit that allowed for remote malicious code execution through web-based JavaScript, opening up an attack vector that could have part unsuspecting victims from their crypto.

According to a recent Apple security disclosure, users must use the latest versions of its JavaScriptCore and WebKit software to patch the vulnerability. 

The bug, discovered by researchers at Google’s threat analysis group, allows for “processing maliciously crafted web content,” which could lead to a “cross-site scripting attack.”

More alarmingly, Apple also admitted it “is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.”

Apple also issued a similar security disclosure for iPhone and iPad users. Here, it says, the JavaScriptCore vulnerability allowed for “processing maliciously crafted web content may lead to arbitrary code execution.” 

In other words, Apple became aware of a security flaw that could let hackers take control of a user’s iPhone or iPad if they visit a harmful website. An update should solve the issue, Apple said.

Jeremiah O’Connor, CTO and co-founder of crypto cybersecurity firm Trugard, told Decrypt that “attackers could access sensitive data like private keys or passwords” stored in their browser, enabling crypto theft if the user’s device remained unpatched.

Revelations of the vulnerability within the crypto community began circulating on social media on Wednesday, with former Binance CEO Changpeng Zhao raising the alarm in a tweet advising that users of Macbooks with Intel CPUs should update as soon as possible.

The development follows March reports that security researchers have discovered a vulnerability in Apple’s previous generation chips—its M1, M2, and M3 series that could let hackers steal cryptographic keys.

The exploit, which isn’t new, leverages “prefetching,” a process used by Apple’s own M-series chips to speed up interactions with the company’s devices. Prefetching can be exploited to store sensible data in the processor’s cache and then access it to reconstruct a cryptographic key that is supposed to be inaccessible.

Unfortunately, ArsTechnica reports that this is a significant issue for Apple users since a chip-level vulnerability can not be solved through a software update. 

A potential workaround can alleviate the problem, but those trade performance for security.

Edited by Stacy Elliott and Sebastian Sinclair

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.



Source link