India’s Computer Emergency Response Team (CERT-In) has issued a high-severity alert about multiple vulnerabilities in Apple’s Vision Pro, the tech giant’s latest and most expensive device. The Vision Pro, which runs on the newly developed VisionOS, is at risk of a serious security breach due to certain vulnerabilities that could potentially allow attackers to take over the system, access sensitive user data and cause significant disruptions.

According to the advisory issued by CERT-In, these vulnerabilities can be exploited in multiple ways, leading to serious security risks. The attacker can execute arbitrary code with kernel privileges, which means they can gain the highest level of access to the system, effectively bypassing most built-in security measures. This can result in unauthorized control over the device, allowing the attacker to install malicious software or modify system settings without being detected.

Another critical issue is that apps may shut down unexpectedly. This can disrupt the user experience and potentially lead to data loss. The vulnerabilities also allow bypassing kernel memory protection, which is a serious concern as this memory is critical for maintaining system stability and security. Attackers can exploit this to gain deep access to the system and perform malicious activities without getting caught.

In addition, the vulnerabilities include the ability to fingerprint users, which means tracking and identifying users based on their device usage. This poses significant privacy concerns as it could lead to unauthorized profiling and surveillance of users. The flaws also enable attackers to bypass security restrictions, effectively negating the security measures put in place to protect the system from unauthorized access.

In addition, the vulnerabilities can lead to denial of service (DoS) attacks, rendering the device inoperable by flooding it with excessive requests or exploiting specific vulnerabilities to cause a crash. Attackers can also gain access to sensitive information stored on the device, such as personal data, photos, and messages, putting user privacy at serious risk. Elevated privileges gained through these vulnerabilities will allow attackers to perform actions normally restricted to system administrators, compromising the security of the device.

The root causes of these vulnerabilities can be traced to various technical issues within VisionOS components. These include ‘use-after-free’ bugs in the kernel, errors in CoreMedia and libiconv components, out-of-bounds write and access issues, integer overflow, and type confusion errors in the WebKit component. These technical flaws can be exploited by attackers via maliciously crafted web content, leading to memory corruption and system compromise.

In response to these serious security concerns, Apple has released a software update for Vision Pro. CERT-In advises all users to immediately download and install this update to protect their devices from potential exploits. It is important to keep software updated to avoid these vulnerabilities and ensure system security and integrity.