Apple fixes zero-day kernel hole and more – update now! – Bare Security

Apple’s latest security updates have arrived.

All flavors still supported from macOS (Monterey, Big Sur and Catalina), as well as all current mobile devices (iPhones, iPads, Apple TVs and Apple Watches), get patches.

Additionally, programmers using Apple X-Code the development system also receives an update.

Details are below.

Full details and bulletin numbers

Bug fixes for iPhone and iPad include Remote Code Execution (RCE) flaws in kernel components itself to Apple’s image rendering library, graphics drivers, video processing modules , etc. Many of these bugs warn that “a malicious application may be able to execute arbitrary code with kernel privileges”. It’s the kind of security breach that could lead to a complete takeover of the device – known in the jargon as a “jailbreak”, as it evades the strict lock and app restrictions of the device. ‘Apple.

Code execution holes at the kernel level could give an attacker control of the entire system, including the parts that manage the security of the rest of the system.

Other notable bugs include: a flaw that could allow malicious applications to evade their sandbox restrictions (such as accessing files they’re not supposed to see, or using resources such as your camera or microphone that they shouldn’t have access to; a Safari bug that could allow you to be tracked even in private mode; and a hole in the Security subsystem that allows sneakily modified applications to bypass the digital signature verification by which the operating system is supposed to verify that they have not been tampered with.

Finally, there’s a lock screen bug, whereby someone who picks up your iPhone while you’re not looking (or steals it, of course) could access your photos without knowing the unlock code.

Macs get fixes for many of the same bugs listed above in the iPhone and iPad section. There are several “bonus bugs” that only apply to macOS, especially in laptop/desktop components such as AppleScriptNamea powerful system automation tool that lets you launch and control applications, including key input, mouse clicking, configuring devices such as your microphone and webcam, and taking screenshots .

There is also a fix for CVE-2022-0778, a cryptographic bug in OpenSSL that was fixed by the OpenSSL team nearly two months ago. You may remember this bug – it was what is known in the jargon as a code smella poorly laid out, poorly programmed loop that didn’t check carefully enough to see if it had exceeded the maximum time it was supposed to spend verifying a digital certificate.

Oddly enough, OpenBSD’s LibreSSL, a “secure” replacement for OpenSSL that was introduced after the infamous Heartbleed flaw in OpenSSL code, is listed as having been patched against the exact same bug. This is a timely reminder not only that software projects with common origins can share latent bugs for years after development diverge, but also that operating systems often have many different code libraries with similar functionality or which overlap.

Apple macOS, for example, includes at least LibreSSL, OpenSSL and Apple’s own proprietary cryptographic library known as Safe transportation.

The previous but still Apple-supported version of macOS, Big Sur, includes fixes for many of the same bugs as Monterey, with the notable addition of a video decoding bug that gives remote attackers a way to gain kernel-level powers, presumably via booby-trapped files.

In this case, we say “give to attackers”, not “could or could give to attackers”, because this bug, CVE-2022-22675, is what is called a day zero. Cybercriminals found it first and are already exploiting it in the wild.

As mentioned above, kernel-level remote code execution exploits are often enough to completely compromise the system, making them highly sought after by jailbeakers, cybercriminals, and spyware creators. and other monitoring tools.

Whatever you do, don’t miss this update!

Like Big Sur (but unlike iOS, even though tvOS has the same version number as iOS), the latest tvOS update fixes CVE-2022-22675, the kernel-level RCE bug described above.

Despite tvOS’ very different version number (8.6 instead of 15.5), Apple Watch users are also getting a fix for zero-day video decoding bug CVE-2022-22675.

Catalina, the previous version of macOS, and its oldest currently supported version, receives many of the same fixes as Big Sur.

However, CVE-2022-22675, the zero-day hole that was patched in Big Sur, tvOS, and watchOS, does not appear to be present here. We assume the bug was introduced after Catalina was released, thus leaving it immune.

This update fixes two RCE flaws that could be triggered simply by viewing booby-trapped content. Apple doesn’t say what kind of content, but given that the bug is in Webkitthe web rendering engine, rather than any of Apple’s media libraries, we suspect the bug is in the handling of web-specific data such as HTML, CSS, or JavaScript.

Note that this update will only be offered to you if you have macOS Big Sur or macOS Catalina. In macOS Monterey and all Apple mobile device platforms, these fixes are included in the main system update.

So remember, if you’re a Big Sur or Catalina user, you’ll install two updates, not just one, with Safari updated separately from the rest of the operating system.

Programmers should get this update, especially if they use the popular Git source code management system.

According to the brief report on CVE-2022-24765, “On multi-user machines, Git users may unexpectedly end up in a Git working tree.” It looks like some sort of authentication bypass, as if, while logged in as user X, you can suddenly access source code owned by user Y or project Z that you’re not working on.

What to do?

Most Apple users have auto-update enabled these days and therefore expect to receive the latest security patches anyway, without needing to know when the updates are released.

Still, we strongly recommend that you manually check for updates whenever you know there are fixes offered, especially if there are any kernel-level vulnerabilities or zero-day bugs. (Or, as happened here, both at the same time!)

Why risk being late when you could be early?

As the Zero Trust School of Cybersecurity suggests: never assume; always checkso:

  • On your iPhone or iPad: Settings > General > Software update
  • On your Mac: apple menu > About This Mac > Software update…

Be careful there!

Comments are closed.