Apple users have been warned to update their devices, after a critical security bug is thought to have been used in targeted attacks.
The latest iOS update, 26.2, fixes an issue with the web browswer which could have allowed hackers to spy on affected phones, and run code without permission.
In a run-through of the updates, Apple said it was ‘aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26.’
After Apple released a fix earlier this month, the US Cybersecurity and Infrastructure Security Agency (CISA) added the bugs to its Known Exploited Vulnerabilities Catalogue, indicating that hackers spotted it first.
This means it was a ‘zero-day’ vulnerability, when there is no fix to a security issue, because the maker doesn’t yet know it exists.
Now that a fix has been made available, customers have been warned about it.
What were the critical security issues?
The two big problems were with WebKit, the software which powers the Safari internet brower, and any other browsers on the phone such as Chrome and Edge.
The bugs could be exploited by someone just visiting a malicious website, or loading an advert, without even needing to enter their details as they would in a phishing attack.
One of the problems was a ‘use-after-free’ issue, which allowed such a website to infect the device’s memory, even after the site itself had been closed down. This could allow code to be executed, with instructions to e.g. turn on the microphone, camera, or track GPS location.
The other vulnerability was a memory corruption issue. When you visit a website, files such as graphics are rendered using boxes. With the bug, hackers would have been able to add so much data to the box that it spilled over, potentially crashing the system or disabling security features.
No details of who, or how many users, may have been affected by any attacks have been given.
While this is not likely to have mass targeted iPhone users, individuals, such as human rights dissidents, political figures, or journalists, may have been at risk.
In the past, state-sponsored spyware such as Pegasus has used other undetected vulnerabilities to take control of devices belonging to targeted individuals.
Apple said they had also fixed other bugs in the latest update, including a configuration issue which could have allowed photos in the Hidden Photos Album to be viewed without authentication, and the possibility of password fields being ‘unintentionally revealed when remotely controlling a device over FaceTime’.
How can I protect my device?
Go to Settings > General > Software Update, and check if there any any updates to install.
Request any update, and install it when prompted, and your device will be patched with the latest security fixes.
If you have automatic updates turned on, this may already have been done, but it’s worth checking just in case.
As a temporary fix, restarting your phone can also protect it from vulnerabilities coming from web browser, because it wipes the temporary memory, including anything sneakily lingering from a website.
This is not failsafe, however, as in a sophisticated attack, the flaw could have been used as a way into the phone to find another vulnerability, making the infection permanent.
Get in touch with our news team by emailing us at [email protected].
For more stories like this, check our news page.
