Skip to content

Indian CERT-In sounds alarm over multiple visionOS flaws; patch issued

  • by
  • 3 min read

Photo: Ringo Chiu / Shutterstock.com

The Indian Computer Emergency Response Team (CERT-In) has issued a high-severity alert regarding critical vulnerabilities discovered in Apple’s Vision Pro, running on the visionOS version before 1.2. These vulnerabilities pose significant security risks, potentially allowing malicious actors to compromise user data, disrupt system operations, and gain unauthorised access.

According to CERT-In’s advisory, one of the most concerning vulnerabilities enables attackers to execute arbitrary code with kernel-level privileges. This level of access grants them extensive control over the system, bypassing standard security measures and facilitating the installation of malicious software or unauthorised system modifications without detection.

Furthermore, the vulnerabilities introduce instability in applications, leading to unexpected closures that can result in data loss and hinder user experience. Additionally, the flaws allow attackers to bypass kernel memory protections, compromising system stability and security.

“Multiple vulnerabilities have been reported in Apple visionOS which could allow an attacker to execute arbitrary code with kernel privileges, trigger termination of an app unexpectedly, bypass kernel memory protections, fingerprint the user, bypass security restrictions, cause denial of service (DoS) conditions, access sensitive information and gain elevated privileges on the targeted system,” cautioned CERT-In.

Photo: Ringo Chiu / Shutterstock.com
Photo: Ringo Chiu / Shutterstock.com

Of particular concern is the risk of user fingerprinting, which allows attackers to track and identify users based on device usage patterns. This poses a significant privacy threat, potentially enabling unauthorised user profiling and monitoring.

Moreover, the vulnerabilities open the door to Denial of Service (DoS) attacks, which could render the device inoperable by overwhelming it with excessive requests or exploiting specific weaknesses to cause system crashes. This could also expose sensitive user data, including personal information, photos, and messages, jeopardising user privacy and security.

CERI-In attributes these vulnerabilities to technical issues within VisionOS components, including ‘use-after-free’ ugs in the kernel, defects in CoreMedia and libiconv components, out-of-bounds write and access problems, integer overflow, and type confusion errors in the WebKit component. These flaws can be exploited through malicious web content, leading to memory corruption and system compromise.

In response to these risks, Apple has released a software update for Vision Pro. CERT-In advises all users to install this update promptly to mitigate potential exploits and safeguard their devices.

Apple announced visionOS 2 in WWDC 2024, alongwith several other improvements and operating systems across its ecosystem.

In the News: SolarMarker backdoor targets job seekers via fake Indeed site

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>