Days after Apple launched its highly anticipated iPhone 16 series, the Indian Computer Emergency Response Team (CERT-In) has issued a high-risk warning concerning multiple vulnerabilities found in several Apple products. The advisory, issued on September 19, affects a wide range of Apple software versions, including iOS, iPadOS, macOS, watchOS and visionOS.

Affected Products

CERT-In’s advisory outlines the affected Apple products as follows:

• iOS: Versions prior to 18 and 17.7
• iPadOS: Versions prior to 18 and 17.7
• macOS Sonoma: Versions prior to 14.7
• macOS Ventura: Versions prior to 13.7
• macOS Sequoia: Versions prior to 15
• tvOS: Versions prior to 18
• watchOS: Versions prior to 11
• Safari: Versions prior to 18
• Xcode: Versions prior to 16
• visionOS: Versions prior to 2

Key Risks and Impacts

The vulnerabilities are rated as “high” risk and, if exploited, could allow attackers to:

• Gain unauthorised access to sensitive information
• Execute arbitrary code on the device
• Bypass critical security restrictions
• Cause denial-of-service (DoS) conditions
• Elevate privileges to gain control over the system
• Perform spoofing attacks
• Engage in cross-site scripting (XSS) attacks

Potential Impacts by Product

• iOS and iPadOS: Users with iOS versions prior to 18 or 17.7 could face DoS attacks, information disclosure, and security restriction bypassing.
• macOS (Sonoma, Ventura, Sequoia): Users running older versions of macOS may experience data manipulation, DoS, privilege elevation, and cross-site scripting.
• tvOS and watchOS: These products face similar risks of DoS attacks, XSS vulnerabilities, and information disclosure.
• Safari and Xcode: Older versions could be vulnerable to spoofing and security restriction bypassing.
• visionOS: Users may be at risk of data manipulation, DoS and information disclosure.

CERT-In Recommendations

The advisory urges users to update their Apple devices to the latest versions of software to mitigate the risks. Users are also advised to monitor their devices for any unusual activity and ensure proper cybersecurity measures are in place.

The Indian cyber security agency CERT-In has reported that users affected by the recent global computer outage are now being targeted by phishing attacks. Fraudsters are posing as CrowdStrike support staff, offering system recovery tools but instead installing malware.

A CERT-In advisory issued on Saturday warns that these attacks could trick unsuspecting users into installing unidentified malware, potentially causing data leaks and system crashes. The global computer outage on July 19, caused by a faulty update to the CrowdStrike Falcon Sensor software, resulted in Microsoft Windows operating system crashes, grounding flights, and affecting business, banking, and hospital systems worldwide, reported PTI.

While systems have now recovered with official fixes from CrowdStrike and Microsoft, attackers are selling software scripts claiming to automate recovery. CERT-In notes that these phishing attackers are also distributing Trojan malware, disguised as recovery tools.

Phishing attacks involve fraudsters impersonating reputable and official entities via email, text messages, or phone calls to trick victims into revealing sensitive personal information, such as banking details and login credentials.

CERT-In, the federal agency responsible for combating cyber-attacks and safeguarding the online space, has advised users and organizations to configure firewalls to block 31 types of URLs, including ‘crowdstrikeoutage[.]info’ and www.crowdstrike0day[.]com’, as well as numerous hashes.

The advisory also recommends several trusted cyber hygiene practices: obtaining software patch updates from authentic sources, avoiding documents with “.exe” links, being cautious of suspicious phone numbers, clicking only URLs with clear website domains, and using safe browsing and filtering tools along with appropriate firewalls.

“Ensure that websites have valid encryption certificates by checking for the green lock in the browser’s address bar before entering sensitive information, such as personal details or account login information,” the advisory adds.