The company released a surprise update for iPhones, iPads, and Macs on Wednesday that fixes two security vulnerabilities known to Apple to be actively exploited by attackers. It was discovered that WebKit,
the browser engine responsible for Safari and other apps, as well as the kernel, essentially the core of the operating system, had two vulnerabilities. These two flaws affect both iOS and iPadOS, as well as macOS Monterey.
If a vulnerable device accesses or processes maliciously crafted web content, it may be able to execute arbitrary code, according to Apple, whereas the second bug allows malicious applications to run arbitrary code with kernel privileges, which means full control over the device. It is believed that the two flaws are related.
It is not uncommon for successful exploits, such as powerful nation-state spyware, to leverage two or more vulnerabilities at the same time to penetrate a device's protections. A common strategy used by attackers to gain access to sensitive data is to first attack a vulnerability in the device's browser before moving on to the operating system. The company said iPhone 6s and later, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch are affected, as well as all iPad Pro models.