India’s Computer Emergency Response Team (CERT-In) has issued a high-severity warning regarding multiple vulnerabilities in Apple’s Vision Pro, the tech giant’s latest and most expensive device. The Vision Pro, running on the newly developed VisionOS, is at risk of serious security breaches due to flaws that could potentially allow attackers to take over the system, access sensitive user data, and cause significant disruptions.
According to the advisory released by CERT-In, these vulnerabilities could be exploited in numerous ways, leading to significant security risks. An attacker could execute arbitrary code with kernel privileges, which means they could gain the highest level of access to the system, effectively bypassing most of the built-in security measures. This could result in unauthorised control over the device, allowing the attacker to install malicious software or modify system settings undetected.
Another critical issue identified is the potential for apps to terminate unexpectedly. This can disrupt the user experience and potentially lead to data loss. The vulnerabilities also allow for bypassing kernel memory protections, a serious concern as this memory is crucial for maintaining system stability and security. Attackers could exploit this to gain deeper access to the system and perform malicious activities without being detected.
In addition, the vulnerabilities include the ability to fingerprint users, which means tracking and identifying users based on their device usage. This poses significant privacy concerns as it could lead to unauthorised profiling and monitoring of users. The flaws also enable attackers to bypass security restrictions, effectively negating the safeguards put in place to protect the system from unauthorised access.
Furthermore, the vulnerabilities can lead to Denial of Service (DoS) attacks, rendering the device inoperable by overwhelming it with excessive requests or exploiting specific weaknesses to cause crashes. Attackers could also gain access to sensitive information stored on the device, such as personal data, photos, and messages, putting user privacy at serious risk. Elevated privileges gained through these vulnerabilities would allow attackers to perform actions typically restricted to system administrators, further compromising the security of the device.
The root causes of these vulnerabilities are traced back to various technical issues within the VisionOS components. These include ‘use-after-free’ bugs in the kernel, errors in the CoreMedia and libiconv components, out-of-bounds write and access issues, integer overflows, and type confusion errors in the WebKit component. These technical flaws can be exploited by attackers through maliciously crafted web content, leading to memory corruption and system compromise.
In response to these serious security concerns, Apple has released a software update for the Vision Pro. CERT-In advises all users to promptly download and install this update to protect their devices from potential exploits. Keeping the software up to date is crucial in safeguarding against these vulnerabilities and ensuring the security and integrity of the system
