Privacy concerns also arise from the ability of attackers to fingerprint users, tracking and identifying them based on their device usage
India’s Computer Emergency Response Team (CERT-In) has issued a high-severity alert concerning multiple vulnerabilities in Apple’s latest and most expensive device, the Vision Pro. Running on the newly developed VisionOS, the Vision Pro faces serious security risks that could allow attackers to take control of the system, access sensitive data, and cause significant disruptions.
CERT-In’s advisory warns that these flaws can be exploited in various ways, posing significant security risks. One major threat is the potential for attackers to execute arbitrary code with kernel privileges, giving them the highest level of access to the system. This access could allow them to bypass most security measures, install malicious software, and change system settings without detection.
Another critical issue is the possibility of apps terminating unexpectedly, which can disrupt user experience and lead to data loss. The vulnerabilities also allow attackers to bypass kernel memory protections, which are essential for system stability and security. By exploiting these flaws, attackers could gain deeper access to the system, performing malicious activities undetected.
Privacy concerns also arise from the ability of attackers to fingerprint users, tracking and identifying them based on their device usage. This could lead to unauthorized profiling and monitoring. Additionally, the vulnerabilities enable attackers to bypass security restrictions, negating safeguards meant to protect the system from unauthorized access.
The warning also highlights the risk of Denial of Service (DoS) attacks, which can render the device inoperable by overwhelming it with excessive requests or exploiting specific weaknesses to cause crashes. Furthermore, attackers could gain access to sensitive information stored on the device, such as personal data, photos, and messages, posing serious privacy risks. Elevated privileges obtained through these vulnerabilities would allow attackers to perform actions typically restricted to system administrators, further compromising device security.
The root causes of these vulnerabilities are linked to various technical issues within VisionOS components. These include ‘use-after-free’ bugs in the kernel, errors in the CoreMedia and libiconv components, out-of-bounds write and access issues, integer overflows, and type confusion errors in the WebKit component. These technical flaws can be exploited through maliciously crafted web content, leading to memory corruption and system compromise.
In response to these serious security concerns, Apple has released a software update for the Vision Pro. CERT-In advises all users to promptly download and install this update to protect their devices from potential exploits. Keeping the software up to date is crucial for safeguarding against these vulnerabilities and ensuring system security and integrity.