Apple has released new software updates across its product line to fix two security vulnerabilities, which the company said may have been actively used to hack customers running its mobile software, iOS.
In security advisories posted on its website, Apple confirmed it fixed the two zero-day vulnerabilities, which “may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.”
The bugs are considered zero days because they were unknown to Apple as they were being exploited.
It’s not yet known who is behind the attacks or how many Apple customers were targeted, or if any were successfully compromised. A spokesperson for Apple did not return TechCrunch’s inquiry.
Apple credited the discovery of one of the two bugs to security researchers working at Google’s Threat Analysis Group, which investigates government-backed cyberattacks. This may indicate that the attacks targeting Apple customers were launched or coordinated by a nation state or government agency. Some government-backed cyberattacks are known to involve the use of remotely planted spyware and other phone-unlocking devices.
A Google spokesperson did not immediately comment when reached by TechCrunch.
Apple said that one of the bugs affects Apple’s CoreAudio, the system-level component that Apple uses across its various products to allow developers to interact with device audio. Apple said the bug could be exploited by processing an audio stream in a maliciously crafted media file, which can allow the execution of malicious code on an affected Apple device.
The other bug, which Apple took sole credit for discovering, allows an attacker to bypass pointer authentication, a security feature that Apple uses in its software to make it more difficult for attackers to corrupt or otherwise inject malicious code into a device’s memory.
Apple released a software update for macOS Sequoia, bumping the software version to 15.4.1, and released iOS 18.4.1 that fixes the security bugs in iPhones and iPads. Apple TV and the company’s mixed-reality headset Vision Pro also received the same security updates.
