Cert‑In flags Apple flaws
India's CERT‑IN has issued a high‑severity alert about vulnerabilities in Apple software that could enable remote code execution or data theft, according to security reporting today. (The bulletin prompted wider notice in tech security feeds and is framed as an urgent patching priority for affected users and admins.) (x.com)
A software update on an iPhone is often a lock change, not a paint job. India’s Computer Emergency Response Team said on March 26 that several Apple products had flaws serious enough to let attackers run code, steal information, or crash devices if people stayed on older versions. (cert-in.org.in) The agency’s list was broad. It covered iPhone and iPad software before version 26.4 and 18.7.7, Mac software before Tahoe 26.4, Sequoia 15.7.5, and Sonoma 14.8.5, plus Safari, Apple Watch, Apple TV, Vision Pro, and Xcode before their 26.4 releases. (cert-in.org.in) “Run code” in a security bulletin means an attacker can make your device follow the attacker’s instructions instead of yours. CERT-In said the possible results included elevated privileges, disclosure of sensitive information, bypassing security restrictions, and denial of service. (cert-in.org.in) One older CERT-In note on Apple’s mobile software shows how these attacks can start with something as ordinary as a web page. In that March 19 note, the agency said flaws in the kernel and WebKit could be triggered by persuading a victim to visit a specially crafted website. (cert-in.org.in) The kernel is the part of an operating system that acts like a building manager with master keys. When CERT-In says a “use after free” bug exists there, it means the software can be tricked into reusing memory it already gave up, which can open a path to device takeover. (cert-in.org.in) WebKit is the browser engine under Safari, which means it is the code that turns a website into something you can tap and read. CERT-In’s March 19 note said a “type confusion” flaw in WebKit could let a malicious page push the browser into handling data as the wrong kind of object, which is one route to arbitrary code execution. (cert-in.org.in) Apple’s side of this story is the patch list. Apple published security pages for iOS 26.4 and iPadOS 26.4, Safari 26.4, watchOS 26.4, and a central security releases page, and CERT-In’s advisory points users directly to those Apple updates as the fix. (support.apple.com 1) (support.apple.com 2) (support.apple.com 3) (support.apple.com 4) (cert-in.org.in) Apple’s security release process is deliberately quiet until patches are out. On its security pages, Apple says it does not disclose or confirm security issues until an investigation is complete and fixes are generally available, which is why government alerts often land right after vendor patches exist. (support.apple.com 1) (support.apple.com 2) There is also a newer wrinkle in how Apple ships fixes. Apple says “Background Security Improvements” are supported starting with iOS 26.1, iPadOS 26.1, and macOS 26.1, which means some urgent protections can arrive outside the old pattern of waiting for a full system upgrade. (support.apple.com) The practical part is simple. If an Apple device is still below the versions in CERT-In’s March 26 advisory, the safe move is to install the current Apple update for that device, because the warning is not about one app misbehaving but about core software that sits under the whole system. (cert-in.org.in)
