Apple has released another round of security updates to address
multiple vulnerabilities in iOS and macOS, including a new zero-day
flaw that has been used in attacks in the wild.
The issue, assigned the identifier
CVE-2022-32917, is rooted in the Kernel component
and could enable a malicious app to execute arbitrary code with
kernel privileges.
“Apple is aware of a report that this issue may have been
actively exploited,” the iPhone maker acknowledged in a brief
statement, adding it resolved the bug with improved bound
checks.
An anonymous researcher has been credited with reporting the
shortcoming. It’s worth noting that CVE-2022-32917 is also the
second Kernel related zero-day
flaw[1] that Apple has
remediated in less than a month.
Patches are available in versions iOS 15.7, iPadOS
15.7[2], iOS 16[3], macOS Big Sur
11.7[4], and macOS Monterey
12.6[5]. The iOS and iPadOS
updates cover iPhone 6s and later, iPad Pro (all models), iPad Air
2 and later, iPad 5th generation and later, iPad mini 4 and later,
and iPod touch (7th generation).
With the latest fixes, Apple has addressed seven actively
exploited zero-day flaws and one publicly-known zero-day
vulnerability since the start of the year –
- CVE-2022-22587[6] (IOMobileFrameBuffer) –
A malicious application may be able to execute arbitrary code with
kernel privileges - CVE-2022-22594[7] (WebKit Storage) – A
website may be able to track sensitive user information (publicly
known but not actively exploited) - CVE-2022-22620[8] (WebKit) – Processing
maliciously crafted web content may lead to arbitrary code
execution - CVE-2022-22674[9] (Intel Graphics Driver)
– An application may be able to read kernel memory - CVE-2022-22675[10] (AppleAVD) – An
application may be able to execute arbitrary code with kernel
privileges - CVE-2022-32893[11] (WebKit) – Processing
maliciously crafted web content may lead to arbitrary code
execution - CVE-2022-32894[12] (Kernel) – An
application may be able to execute arbitrary code with kernel
privileges
Besides CVE-2022-32917, Apple has plugged 10 security holes in
iOS 16, spanning Contacts, Kernel Maps, MediaLibrary, Safari, and
WebKit. The iOS 16 update is also notable for incorporating a new
Lockdown Mode[13] that’s designed to make
zero-click attacks harder.
iOS further introduces a feature called Rapid Security Response[14] that makes it possible
for users to automatically install security fixes on iOS devices
without a full operating system update.
“Rapid Security Responses deliver important security
improvements more quickly, before they become part of other
improvements in a future software update,” Apple said in a revised support
document[15] published on
Monday.
Lastly, iOS 16 also brings support for passkeys[16] in the Safari web
browser, a passwordless sign-in mechanism that allows users to log
in to websites and services by authenticating via Touch ID or Face
ID.
References
- ^
second
Kernel related zero-day flaw
(thehackernews.com) - ^
iOS
15.7, iPadOS 15.7 (support.apple.com) - ^
iOS
16 (support.apple.com) - ^
macOS
Big Sur 11.7 (support.apple.com) - ^
macOS
Monterey 12.6 (support.apple.com) - ^
CVE-2022-22587
(thehackernews.com) - ^
CVE-2022-22594
(thehackernews.com) - ^
CVE-2022-22620
(thehackernews.com) - ^
CVE-2022-22674
(thehackernews.com) - ^
CVE-2022-22675
(thehackernews.com) - ^
CVE-2022-32893
(thehackernews.com) - ^
CVE-2022-32894
(thehackernews.com) - ^
Lockdown Mode
(thehackernews.com) - ^
Rapid
Security Response (thehackernews.com) - ^
revised support document
(support.apple.com) - ^
passkeys
(thehackernews.com)
Read more https://thehackernews.com/2022/09/apple-releases-ios-and-macos-updates-to.html