Apple has released a large package of security fixes for various bugs in iOS and iPadOS including four code-execution flaws and one serious zero-day.
The most significant of the 11 total security issues was the zero-day vulnerability that allowed hackers to potentially execute arbitrary code with kernel privileges - the most serious kind.
Apple said it is aware of a report that the issue may have been actively exploited in the wild. A zero-day vulnerability is characterised as a security flaw that was previously unknown to the affected vendor but not patched.
Tracked as CVE-2022-32917, the vulnerability was one of the four code-execution bugs patched in the update and the eighth zero-day Apple has patched this year.
It was not the only other bug that could be exploited with kernel privileges, though. The other is tracked as CVE-2022-32911 but unlike the first, this is not believed to be under active exploitation.
The other two were found in WebKit, Apple’s proprietary browser engine that’s used to power its Safari app, as well as all the in-app browsers found in apps allowed on Apple’s App Store.
They both may have allowed arbitrary code execution if a user accessed a maliciously crafted web page, but neither is thought to be under active exploitation either.
All of the security fixes apply to version 15.7 of each operating system (OS) which is the most recent version for iPads and the second most recent version for iPhones after iOS 16 was launched on Monday.
Affected devices are the same for all vulnerabilities in the list. These include all officially supported iPhones (iPhone 6s and newer), all iPad Pro models, iPad Air 2 and later, iPad 5th generation and later, iPad Mini 4 and later, and iPod touch (7th generation).
Also included in the package of patches were fixes for three separate privacy issues. The first of these impacted the affected devices’ Contacts app and Apple’s nondescript explanation of the issue offered very little other than: “an app may be able to bypass privacy preferences”.
Apple’s security advisories are famously brief in their explanation of each vulnerability and the potential capability of a method to exploit it. It’s unclear how another app could impact the privacy preferences of the contacts app.
RELATED RESOURCE
Storage's role in addressing the challenges of ensuring cyber resilience
Understanding the role of data storage in cyber resiliency
“For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available,” it said in the update’s notes.
Apple’s Maps app also suffered a privacy issue whereby another app installed on an affected device may have been able to read “sensitive location information”.
Apple was equally as vague as to the finer details of this vulnerability, too, as it was with the third privacy flaw found in Safari’s web extensions.
Exploiting this vulnerability would potentially allow websites to track users through browser extensions in Apple’s Safari app.
Apple did not specify if this vulnerability would also circumvent its built-in App Tracking Transparency functionality introduced in iOS 14 or if websites could track users if they enabled the hiding of their IP address in the device’s settings.
Elsewhere, vulnerabilities potentially allowing photos to be accessed from the lock screen through the exploitation of Shortcuts, address bar spoofing in Safari, and privilege escalation flaws in MediaLibrary were also fixed.
Apple’s security updates rarely deliver this many fixes in one release but the update is potentially more impactful for iPad owners.
The security updates must be applied to Apple’s tablets but the vulnerabilities no longer affect the latest version of iOS, so if users updated to iOS 16 on Monday, then the fixes would automatically be ported over with the newer OS.
The latest iOS update brought with it several new security features for iPhone users and one of the most notable was the decoupled security updates.
Users would typically have had to wait for full iOS updates to receive new security patches but Apple is now releasing updates for its OS and security flaws separately so fixes can be applied more quickly.
The same security features will also be coming to iPad users when its iPadOS is eventually rolled out.
Apple has confirmed that the OS has been delayed by a month, although it is usually released at the same time as iOS.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
The threat prevention buyer's guideWhitepaper Find the best advanced and file-based threat protection solution for you
