tl;dr
Apple confirmed a vulnerability in its devices that allowed for remote code execution through web-based JavaScript, potentially exposing users to crypto theft. They issued security disclosures for Mac, iPhone, and iPad users, urging them to update their software to patch the vulnerability. The bug, ...
Apple devices vulnerable to exploit allowing remote code execution via JavaScript, potentially leading to crypto theft; urgent software updates required
Security flaw in Apple's JavaScriptCore and WebKit software could enable arbitrary code execution on Mac, iPhone, and iPad devices; potential for sensitive data theft
Vulnerability in Apple's M1, M2, and M3 series chips discovered, allowing hackers to steal cryptographic keys via prefetching process; significant security concern for Apple users
Apple confirmed a vulnerability in its devices that allowed for remote code execution through web-based JavaScript, potentially exposing users to crypto theft. They issued security disclosures for Mac, iPhone, and iPad users, urging them to update their software to patch the vulnerability. The bug, discovered by Google researchers, could lead to cross-site scripting attacks and arbitrary code execution. This revelation sparked concerns in the crypto community, with warnings from industry leaders to update devices.
Additionally, a previously discovered vulnerability in Apple's M-series chips poses a significant security risk for users, as it cannot be solved through a software update, potentially requiring performance trade-offs for security.
Apple confirmed Monday its devices were left vulnerable to an exploit that allowed for remote malicious code execution through web-based JavaScript, opening up an attack vector that could have part unsuspecting victims from their crypto. According to a recent Apple security disclosure, users must use the latest versions of its JavaScriptCore and WebKit software to patch the vulnerability. The bug, discovered by researchers at Google's threat analysis group, allows for “processing maliciously crafted web content,” which could lead to a “cross-site scripting attack.” More alarmingly, Apple also admitted it “is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.” Apple also issued a similar security disclosure for iPhone and iPad users. Here, it says, the JavaScriptCore vulnerability allowed for “processing maliciously crafted web content may lead to arbitrary code execution.”
In other words, Apple became aware of a security flaw that could let hackers take control of a user’s iPhone or iPad if they visit a harmful website. An update should solve the issue, Apple said.
Jeremiah O’Connor, CTO and co-founder of crypto cybersecurity firm Trugard, told Decrypt that “attackers could access sensitive data like private keys or passwords” stored in their browser, enabling crypto theft if the user’s device remained unpatched. Revelations of the vulnerability within the crypto community began circulating on social media on Wednesday, with former Binance CEO Changpeng Zhao raising the alarm in a tweet advising that users of Macbooks with Intel CPUs should update as soon as possible.
If you use a Macbook with Intel based chip, update asap!
Stay SAFU!
The development follows March reports that security researchers have discovered a vulnerability in Apple's previous generation chips—its M1, M2, and M3 series that could let hackers steal cryptographic keys. The exploit, which isn’t new, leverages “prefetching,” a process used by Apple’s own M-series chips to speed up interactions with the company’s devices. Prefetching can be exploited to store sensible data in the processor’s cache and then access it to reconstruct a cryptographic key that is supposed to be inaccessible. Unfortunately, ArsTechnica reports that this is a significant issue for Apple users since a chip-level vulnerability can not be solved through a software update.
A potential workaround can alleviate the problem, but those trade performance for security.