January 16, 2025

CERT-In Detects Threats With High Severity In iPhone, iPad, Mac, ChromeOS and Firefox Browser

0

The Indian Computer Emergency Response Team or CERT-In, appointed by the Ministry of Electronics and Information Technology, has found several highly severe vulnerabilities in iOS, iPadOS, and macOS. Additionally, they’ve also found some vulnerabilities in Google’s ChromeOS and Mozilla’s Firefox browser as well. According to the agency, these vulnerabilities can be used to bypass security restrictions and cause DoS or denial-of-service attacks on users, rendering their devices unusable.

Machines running macOS Catalina with a security patch prior to 2022-005, macOS Big Sur versions prior to 11.6.8, and macOS Monterey versions prior to 12.5 are at risk. These vulnerabilities which are present in macOS as well as iOS and iPadOS can be exploited by attackers remotely; all they need to do is persuade victims to visit a malicious website. The attacker can then execute an arbitrary code which would bypass security restrictions and cause the DoS attack on the device.

The vulnerabilities in macOS exist due to out-of-bounds read in AppleScript, SMB, and Kernel, out-of-bounds write in Audio, ICU, PS Normalizer, GU Drivers, SMB and WebKit. In addition to that, authorisation issues were found in AppleMobileFileIntegrity; information disclosure in the Calendar and iCloud Photo Library.

Similar vulnerabilities have been found in iPadOS and iOS versions prior to 15.6 as well.

As for Mozilla Firefox, versions older than 103, ESR versions older than 102.1 and 91.12 have been found to have security flaws. These flaws exist due to Memory safety bugs present in the browser engine, preload cache bypasses subresource integrity, and leak of cross-site resource redirecting information while using the Performance API, to name a few. Using these loopholes, attackers can gain access to sensitive information on targeted machines.

Google ChromeOS suffers from similar vulnerabilities to Firefox. They exist in Google ChromeOS LTS channel versions prior to 96.0.4664.215 due to out-of-bounds read in the compositing component, incorrect implementation in Extension API, and use-after-free error within the Blink XSLT component, to name a few.

According to CERT-In, these vulnerabilities can be fixed by installing software updates, and users of these operating systems and browsers should install the latest security updates as soon as they can.