Govt Issues ‘High’ Risk Alert for iPhones, Apple Products Over Security Vulnerabilities

New Delhi: The Indian Computer Emergency Response Team (CERT-In) has issued a high-risk advisory regarding vulnerabilities identified in various Apple products, just days after the iPhone 16 series launch. The advisory, dated September 19 highlights potential security threats affecting iOS, iPadOS, macOS, watchOS, tvOS, Safari, Xcode and visionOS.

Affected Apple Products

CERT-In’s alert focuses on the following Apple software versions:

• iOS: Versions earlier than 18 and 17.7
• iPadOS: Versions prior to 18 and 17.7
• macOS Sonoma: Versions earlier than 14.7
• macOS Ventura: Versions before 13.7
• macOS Sequoia: Versions earlier than 15
• tvOS: Versions prior to 18
• watchOS: Versions earlier than 11
• Safari: Versions before 18
• Xcode: Versions prior to 16
• visionOS: Versions earlier than 2

Key Risks and Potential Impacts

The vulnerabilities are classified as “high-risk” and could allow cyber attackers to:

• Access sensitive data without authorisation
• Execute arbitrary code on affected devices
• Bypass essential security measures
• Cause denial-of-service (DoS) attacks
• Elevate system privileges to gain control
• Perform spoofing attacks
• Engage in cross-site scripting (XSS) attacks

Product-Specific Risks

• iOS and iPadOS: Devices running outdated versions may face DoS attacks, data breaches, and compromised security restrictions.
• macOS (Sonoma, Ventura, Sequoia): Users could experience data manipulation, DoS, privilege escalation, and XSS vulnerabilities.
• tvOS and watchOS: Older versions are at risk of DoS, XSS, and data leaks.
• Safari and Xcode: Older software may be vulnerable to spoofing and security bypassing.
• visionOS: Outdated versions are susceptible to data manipulation, DoS, and information leaks.

CERT-In Recommendations

To mitigate these risks, CERT-In strongly advises users to update their Apple devices to the latest software versions immediately. Users are also encouraged to monitor their devices for unusual activity and follow standard cybersecurity practices.