November 14, 2024

The Indian Computer Emergency Response Team (CERT-In) appointed by the Ministry of Electronics and Information Technology has found multiple vulnerabilities of high severity in iOS, iPadOS, and macOS by Apple as well as Google’ ChromeOS and Mozilla’ Firefox Internet browser. iOS is an operating system for iPhone models, iPadOS runs on iPad models, and macOS powers the Mac machines. As per the nodal agency, these vulnerabilities can be used to bypass security restrictions and cause denial-of-service (DoS) attacks rendering the devices unusable.

Mac machines running on macOS Catalina with security update prior to 2022-005, macOS Big Sur versions prior to 11.6.8, and macOS Monterey versions prior to 12.5 are at risk, as per CERT-In. The vulnerabilities in macOS versions as well as iOS and iPadOS could be exploited by a remote attacker by persuading a victim to visit a malicious website. The cybercriminal can execute arbitrary code, bypass security restrictions, and cause DoS conditions on the targeted system.

The macOS vulnerabilities exist due to out-of-bounds read in AppleScript, SMB and Kernel, out-of-bounds write in Audio, ICU, PS Normalizer, GU Drivers, SMB and WebKit. Authorisation issues have been found in AppleMobileFileIntegrity; information disclosure in the Calendar and iCloud Photo Library.

Similar vulnerabilities have been found in iOS and iPadOS versions prior to 15.6. The macOS vulnerabilities exist due to out-of-bounds write in Audio, ICU, GPU Drivers, and WebKit, out-of-bounds read in ImageIO and Kernel, authorisation issues have been found in AppleMobileFileIntegrity; information disclosure in the Calendar and iCloud Photo Library, among others.

In case of Mozilla Firefox, versions prior to 103, ESR versions prior to 102.1 and 91.12 have been found vulnerable. The vulnerabilities exist due to Memory safety bugs within the browser engine, preload cache bypasses subresource integrity, leak of cross-site resource redirecting information while using the Performance API, among others. These loopholes may provide an attacker access to sensitive information on the targeted system.

The vulnerabilities in Google ChromeOS pose a pretty similar threat as Firefox. The vulnerabilities exist in Google ChromeOS LTS channel versions prior to 96.0.4664.215 due to out-of-bounds read in the compositing component, incorrect implementation in Extension API, use-after-free error within the Blink XSLT component, among others.

CERT-In says these vulnerabilities can be fixed by installing software updates. Users of these operating systems and Mozilla Firefox are advised to install the software patches as soon as they can.