CERT-In Warns Apple Users: Critical Vulnerabilities Require Immediate Updates
Research Wing
Innovation and Research
PUBLISHED ON
Sep 25, 2024
10
Executive Summary:
In the recent advisory the Indian Computer Emergency Response Team (CERT-In) has released a high severity warning in the older versions of the software across Apple devices. This high severity rating is because of the multiple vulnerabilities reported in Apple products which could allow the attacker to unfold the sensitive information, and execute arbitrary code on the targeted system. This warning is extremely useful to remind of the necessity to have the software up to date to prevent threats of a cybernature. It is important to update the software to the latest versions and cyber hygiene practices.
Devices Affected:
CERT-In advisory highlights significant risks associated with outdated software on the following Apple devices:
iPhones and iPads: iOS versions that are below 18 and the 17.7 release.
Mac Computers: All macOS builds before 14.7 (20G71), 13.7 (20H34), and earlier 20.2 for Sonoma, Ventura, Sequoia, respectively.
Apple Watches: watchOS versions prior to 11
Apple TVs: tvOS versions prior to 18
Safari Browsers: versions prior to 18
Xcode: versions prior to 16
visionOS: versions prior to 2
Details of the Vulnerabilities:
The vulnerabilities discovered in these Apple products could potentially allow attackers to perform the following malicious activities:
Access sensitive information: The attackers could easily access the sensitive information stored in other parts of the violated gadgets.
Execute arbitrary code: The web page could be compromised with malcode and run on the targeted system which in the worst scenario would give the intruder full Administrator privileges on the device.
Bypass security restrictions: Measures agreed to safeguard the device and information contained on it may be easily bypassed and the system left open to more proliferation.
Cause denial-of-service (DoS) attacks: The vulnerabilities could be used to cause the targeted device or service to be unavailable to the rightful users.
Perform spoofing attacks: There could be a situation where the attackers created fake entities or users or accounts to have a way into important information or do other unauthorized activities.
Elevate privileges: It is also stated that weaknesses might be exploited to authorize the attacker a higher level of privileges in the system they are targets.
Engage in cross-site scripting (XSS) attacks: Some of them make the associated Web applications/sites prone to XSS attacks by injecting hostile scripts into Web page code.
Vulnerabilities:
CVE-2023-42824
Attack vector could allow a local attacker to elevate their privileges and potentially execute arbitrary code.
Affected System
Apple's iOS and iPadOS software
CVE-2023-42916
To improve the out of bounds read it was mitigated with improved input validation which was resolved later.
Affected System
Safari, iOS, iPadOS, macOS, and Apple Watch Series 4 and later devices running watchOS 10.2
CVE-2023-42917
leads to arbitrary code execution, and there have been reports of it being exploited in earlier versions of iOS.
Affected System
Apple's Safari browser, iOS, iPadOS, and macOS Sonoma systems
Recommended Actions for Users:
To mitigate these risks, that users take immediate action:
Update Software: Ensure all your devices are on the most current version of the operating systems they use. Repetitive updates have important security updates that fix identified weaknesses or flaws within the system.
Monitor Device Activity: Stay vigilant if something doesn’t seem right; if your gadgets are accessed by someone who isn’t you.
Always use strong, distinct passwords and use two-factor authentication.
Install and update the antivirus and Firewall softwares.
Avoid downloading any applications or clicking link from unknown sources
Conclusion:
The advisory from CERT-In, clearly demonstrates the fundamental need of keeping the software on all Apple devices up to date. Consumers need to act right away to patch their devices and apply best security measures like using multiple factors for login and system scanning. This advisory has come out when Apple has just released new products into the market such as the iPhone 16 series in India. When consumers embrace new technologies it is important for them to observe relevant measures of security precautions. Maintaining good cyber hygiene is a critical process for the protection against new threats.
Two powerful earthquakes measuring 7.2 and 7.5 in magnitude struck Venezuela on June 24, 2026, within a span of one minute, causing widespread destruction. Hundreds of buildings were reportedly reduced to rubble. Against this backdrop, a video is being widely shared on social media showing two high-rise buildings colliding with each other before collapsing. Several users have claimed that the footage shows the aftermath of the recent earthquake in Venezuela. CyberPeace Research Wing team conducted a detailed research and found that the viral video is not authentic. The footage was generated using artificial intelligence and is being falsely shared as real visuals from the Venezuela earthquake.
Claim
A Facebook user, “Rana Yashwant,” shared the video on June 26, 2026, with the caption: "Venezuela: The high-rise buildings fell as if they were fast-moving train coaches. How long could they withstand such a powerful earthquake? Both collapsed face-first. What happened to the people? Who knows." https://www.facebook.com/reel/1036186612182534 ,https://perma.cc/98PE-DFKB
Fact Check
We first extracted several keyframes from the viral video and conducted reverse image searches using Google Lens. However, we found no credible news reports or evidence linking the footage to the recent earthquakes in Venezuela. A closer examination of the video revealed several anomalies. Despite the intense shaking and collision of the buildings, the windows and structural features remained unchanged throughout the footage. No visible deformation or damage appeared in the buildings before they collapsed, which is highly unrealistic and raised suspicions that the video had been generated using AI. To verify this, we analyzed the video using the AI detection tool detectvideo.ai. The results indicated a 73 percent probability that the footage was AI-generated.
Similarly, analysis conducted using Sightengine found a 99 percent probability that the video had been created using artificial intelligence.
Conclusion
Our research found the viral claim to be false. The video showing two buildings colliding and collapsing is not related to the recent earthquakes in Venezuela. The footage was generated using artificial intelligence and is being misleadingly shared as real disaster footage.
The increase in consumer demands has resulted in a sharp increase in digital financing in India. As a result, the reputation of the digital lending sector has been impacted, as bad actors increasingly deploy illicit lending platforms such as fraudulent loans and trading apps. As millions of Indians download fast loan applications to help them meet their financial ends, the fraudulent apps result in cyber crimes including financial fraud. Consumers need to be vigilant of dubious trading or loan applications as bad actors frequently use illegitimate apps to trick victims by advertising limited-period offers and applying pressure.
Recently the Indian Cyber Crime Coordination Centre (I4C) led handel CyberDost has issued a cybercrime alert against the ‘CashExpand-U’ finance assistant app, which has been now removed from the Google Play Store. The app was found to be associated with hostile foreign entities, and the app had made it easier to raise small loans. However, such loan apps are seldom credible and may compromise financial information.
Raising cases of Fraudulent Loan Apps
The finance minister had stated that the government is constantly engaged with the Reserve Bank of India and other regulators and stakeholders to control fraudulent loan apps. In FY23, there were 1,062 complaints against such apps, the Finance Minister shared during a Lok Sabha session. Google removed almost 134 fake apps from the Play Store in a single week in September 2023 after multiple complaints were registered against such apps. The Reserve Bank of India (RBI) had also issued regulatory guidelines on digital lending in April 2023 to bring transparency in the digital loan space.
CyberPeace Policy Wing Advisory for Users
Be cautious of App Permissions
Fake lending apps collect data by fraudulently taking numerous app permissions from consumers and misusing them later. The users must effectively manage their app permissions to avoid denying any extra permissions such as access to contacts, location, and photos. This is because fraudulent digital lenders access users' personal data to extort additional money even after loan repayment.
Practice Due Diligence
Consumers must exercise care & caution before applying for a loan from digital lending platforms. Before applying for a loan or downloading any such apps, consumers must conduct due diligence by verifying the app's name, rating, reviews, physical address, and contact information. Always double-verify the paperwork before signing any agreement or contract. Always apply for loans from RBI-approved and compliant banking and financial services providers.
Download from Official Sources
To avoid downloading counterfeit apps, only download lending apps from official stores like Google Play Store or Apple App Store, and avoid downloading apps from web links sent via SMS, email, or social media, even if shared by your known persons.
Be sceptical of too-good-to-be-true offerings
Be cautious of deals that seem too good to be true, like hassle-free easy loans as they can be fraudulent. If an offer seems too good to be true, it might be a red flag. Hence always conduct your own research to verify the lender and avoid making hasty decisions.
Reporting Mechanism
In case of facing a scam by such fraudulent apps, victims can file a complaint with the ‘National Cyber Crime Reporting Portal’ or Cyber Crime Helpline ‘1930’, or they can also contact us at CyberPeace Helpline +919570000066 and helpline@cyberpeace.net to get assistance in reporting their cases.
Final Words
Illegitimate loan/trading apps have been raising concerns by defrauding innocent consumers who seek financial assistance. The Center has recently warned against the CashExpand-U app, which has been now removed from the Google Play Store. Users are advised to exercise due care and caution while downloading loan apps and applying for loans to prevent any potential scams. keep up to date with news from concerned authorities about common scams and fraudulent practices in the lending space and stay safe in the online world.
The Expanding Governance Challenge of Artificial Intelligence
Artificial intelligence (AI) systems are increasingly embedded in economic and social infrastructure. They are being adopted in financial services, healthcare diagnostics, hiring systems, and public administration. But while these systems improve efficiency and decision-making, they also introduce new forms of technological risk.
Unlike conventional software, AI systems learn patterns from data and continue to evolve as they run. This poses governance issues since risks can arise throughout the AI life cycle, whether at the coding level or in their implementation.
The latest regulatory frameworks, such as the European Union’s AI Act (EU AI Act) and the UNESCO Recommendation on the Ethics of Artificial Intelligence, note that responsible AI governance depends on the realisation of where risks emerge across the development process.
This article maps the AI system lifecycle, identifies the risks that emerge at each stage and evaluates the policy tools used to mitigate them using the lifecycle framework developed by the Organisation of Economic Co-operation and Development (OECD).
The Lifecycle of an AI System
AI systems are developed through a structured process that includes problem definition, dataset collection and preparation, model development, testing and validation, deployment, and monitoring.
The OECD conceptualises this development process as the AI system lifecycle. Each stage entails various technical and administrative procedures, since choices made during these stages will dictate the goals and limits of an AI system. Further, the quality and representativeness of training sets will have a strong effect on the behaviour of models after implementation.
Since this is an iterative and not a linear procedure, risks can be introduced at each stage of the AI lifecycle. New data can be retrained into different models, and systems are regularly updated once they have been deployed, to address performance degradation, model errors, or unintended outputs. This iterative process means governance must address risks across the entire lifecycle, not just at deployment.
Where AI Risks Emerge
AI risks usually emerge earlier in the development process, especially in the phases when system objectives are formulated and training data are chosen. The EU AI Act and the UNESCO Recommendation on the Ethics of AI outline the following risks: bias and discrimination, privacy and data security violations, the absence of transparency in automated decision-making, and risks to fundamental rights.
AI Governance Risk Landscape: Core Risk Categories Under International Frameworks
Risk categories jointly identified by the EU AI Act and UNESCO Recommendation on the Ethics of Artificial Intelligence
Outlining the risks throughout the AI lifecycle helps understand the areas where governance interventions are most necessary. For example, discriminatory outcomes often result from biased or unrepresentative training data, while safety failures are typically linked to inadequate testing before deployment. Risks such as misinformation arise post the development process, when generative AI systems are deployed at scale on digital platforms.
AI System Lifecycle: Key Risks at Each Stage
Risks identified per the EU AI Act and UNESCO Recommendation on the Ethics of AI
Understanding where risks emerge across the lifecycle explains why governance frameworks classify AI systems by risk and apply oversight at multiple stages.
Policy Tools for Mitigating AI Risks
Governments and international organisations have developed regulatory tools to help mitigate AI risks in the lifecycle. These tools are meant to make sure that AI technologies are identified as up to standard in safety, accountability and fairness prior to and after deployment.
For example, the OECD AI Policy Observatory recommends that governments adopt policy instruments such as risk evaluations, algorithmic auditing necessities, regulatory sandboxes, and transparency necessities of AI systems. The European Union’s Artificial Intelligence Act (AI Act) is one of the most comprehensive systems of governance that introduces a risk-oriented regulation strategy. It mandates adherence to requirements concerning data governance, documentation, human oversight, and robustness, and cybersecurity. Such requirements bring regulatory checkpoints to the lifecycle of AI systems.
Mapping these policy tools across the lifecycle illustrates how governance mechanisms can intervene at different stages of AI development.
Governance Overlay: Policy Interventions Across the AI Lifecycle
Regulatory tools mapped at each stage of AI development per the EU AI Act and UNESCO Recommendation on the Ethics of AI
Several policy tools are directed at the risks that occur in the pre-developmental stages. In one example, algorithmic impact assessment has been applied in various jurisdictions to measure the possible consequences of automated decision systems on society before implementation. On the same note, the requirements of dataset documentation, including dataset transparency requirements and model cards, are aimed at enhancing accountability during the training and development stages of the AI systems. Therefore, lifecycle-based policy design allows regulators to intervene before harmful outcomes occur, rather than responding only after AI systems have caused damage in real-world environments.
The Policy Gap in AI Governance
The misalignment between risks and governance tools across the AI lifecycle indicates a critical structural gap in existing regulations. Numerous governance processes become activated after AI systems are classified as “high risk” or after they are implemented in the real world. But the most serious sources of damage have their roots in earlier stages of the development procedure.
An example is that prejudiced or unbalanced training data is almost inevitably a source of discriminative results in automated decision systems. When these types of models are applied in areas like staffing, credit rating, or in providing services to the public, such biases can quickly spread to large populations and undermine democratic rights. In the same way, the lack of transparency in model design might result in the fact that the regulator or individuals are affected by the decision-making process. This reflects a broader timing gap in AI governance, where risks originate during design and development, but regulatory intervention typically occurs only after deployment.
Analysis
1. Key risks originate before deployment: As depicted in the lifecycle mapping, the data collection and model development phase presents several significant governance risks as opposed to the deployment phase. Structural issues can be entrenched within AI systems even before they are deployed in practice due to bias in data sets, incomplete reporting of training sets, and obscured network designs.
2. Data governance is a primary point of vulnerability: Most of the instances of algorithmic discrimination listed above are associated with training material that is not representative of some population groups or is historical. Since machine learning models are optimisations of patterns that exist in datasets, these biases can be carried through the whole lifecycle and reproduced after deployment.
3. Regulatory approaches remain mismatched across jurisdictions: Different countries adopt varying approaches to AI governance, ranging from risk-based frameworks such as the EU AI Act to more sector-specific or voluntary guidelines in other regions. This divergence creates inconsistencies in safety, accountability, and enforcement standards, allowing risks to persist across borders and potentially undermining the protection of users in globally deployed AI systems.
4. Governance interventions remain uneven across the lifecycle: Whereas the various regulatory instruments aim at deployment and monitoring, fewer instruments systematically tackle the risks that are posed by the previous design and development phases.
Recommendations
1. Introduce mandatory lifecycle risk assessments: The regulatory systems need to demand systemic risk evaluation at the beginning of AI development, especially at the problem design and dataset selection phases. This would assist in detecting possible harmful applications in advance, before systems are constructed and installed.
2. Strengthen dataset governance standards: Training datasets must be supplemented with documentation as to their provenance, composition and limitations. Standardised documentation frameworks of data sets can assist in the discovery by regulators and auditors of the potential sources of bias or privacy threats.
3. Expand independent algorithmic auditing: AI systems can be assessed by regular third-party audits based on fairness, strength, and security weaknesses. The auditing mechanisms especially apply to high-risk systems employed in employment, finance or the public services.
4. Integrate continuous monitoring requirements: AI systems may be monitored regularly after implementation to identify model drift, unforeseen consequences, or abuse. Reporting systems can facilitate the process where the regulators can see the emerging risks and modify the governance systems.
Conclusion - The Need for Global AI Governance
Despite growing regulatory attention, global air governance remains fragmented. Different jurisdictions adopt varying approaches to risk classification, oversight, and enforcement, leading to inconsistencies in safety and accountability standards. Given that AI systems are often developed, deployed, and used across borders, this lack of coordination allows risks to persist beyond national regulatory frameworks.
Addressing these challenges requires a shift towards greater international cooperation and lifecycle-based governance. Developing shared standards, improving cross-border regulatory alignment, and embedding oversight across all stages of AI development will be essential to ensuring that AI systems are safe, transparent, and accountable in a globally interconnected environment.
Your institution or organization can partner with us in any one of our initiatives or policy research activities and complement the region-specific resources and talent we need.