The latest raft of non-emergency Apple security updates are out, patching a total of 87 different CVE-rated software bugs across all Apple products and plaforms.
There are 10 security bulletins for this bunch of updates, as follows:
- APPLE-SA-2022-03-14-1: iOS 15.4 and iPadOS 15.4 (HT213182)
- APPLE-SA-2022-03-14-2: watchOS 8.5 (HT213193)
- APPLE-SA-2022-03-14-3: tvOS 15.4 (HT213186)
- APPLE-SA-2022-03-14-4: macOS Monterey 12.3 (HT213183)
- APPLE-SA-2022-03-14-5: macOS Big Sur 11.6.5 (HT213184)
- APPLE-SA-2022-03-14-6: Security Update 2022-003 Catalina (HT213185)
- APPLE-SA-2022-03-14-7: Xcode 13.3 (HT213189)
- APPLE-SA-2022-03-14-8: Logic Pro X 10.7.3 (HT213190)
- APPLE-SA-2022-03-14-9: GarageBand 10.4.6 (HT213191)
- APPLE-SA-2022-03-14-10: iTunes 12.12.3 for Windows (HT213188)
The current and two previous versions of macOS (Monterey, Big Sur and Catalina) all get updates, but only the latest versions of Apple’s mobile device operating systems (iOS, iPadOS, watchOS and tvOS) are supported in this round of fixes.
Note that if you’re using macOS Catalina, you won’t see a new three-number operating system version after the update; you’ll just get Security Update 2022-003 instead.
What’s fixed?
With 87 noteworthy bugs in the mix, there are plenty of security issues to choose from, including several that are listed with a warning that the bug might “lead to arbitrary code execution”, or even that it might be exploitable “to execute arbitrary code with kernel privileges”.
Three remote code execution bugs are listed in WebKit, the HTML rendering code that underlies all of Apple’s own web browsing code, including Safari, and that underlies all web browsing on App Store programs.
For App Store software, WebKit is not merely a de facto choice for Apple’s code but a de iure browser requirement for everyone, even Microsoft, Google and Mozilla: if you use your own HTML rendering engine instead of WebKit, your app will be rejected.
Those WebKit bugs are covered by four bug numbers (CVE-2022-22610, CVE-2022-22624, CVE-2022-22628 and CVE-2022-22629), found and responsibly disclosed by three different researchers from three different external companies.
They’re all described as flaws where “processing maliciously crafted web content may lead to code execution”, which means that simply looking at a web page, without clicking any links, using any menus, or approving any download actions, might be enough to implant malware on your computer or your phone.
There’s a similar and equally alarming set of bugs (including CVE-2022-22633, CVE-2022-22634, CVE-2022-22635 and CVE-2022-22636) in the document, audio and video viewing components on iPhones and iPads.
Those security holes could variously allow malware implantation (including with kernel privileges) or elevation of privilege, simply by presenting you with maliciously crafted PDFs or booby-trapped videos to look at.
Remember that a non-kernel code execution bug on a device such as an iPhone typically restricts the attacker to fossicking around in the data of the app that triggered the bug.
So, app-level compromise is often dangerous enough in its own right, but not as dramatically dangerous as a root-level or kernel-level compromise that lets one app snoop on all the others.
But if a moderately dangerous remote code execution bug, or RCE, is combined with an EoP, short for elevation-of-privilege exploit, then the attacker’s remotely triggered malware code may be able not only to get in, but also to move around on your device.
A two-pronged attack that takes and RCE-plus-EoP approach can therefore often evade the “each-app-is-cloistered-in-its-own-little-world” sandbox protection usually imposed by the operating system.
Information leakage
There were also numerous information leakage bugs found and fixed.
Some of these aren’t truly dangerous on their own, but are nevertheless a reminder that apps (including, as we’ve often reported before, the Lock Screen app!) may nevertheless not live up to the security promises you expect they’ll keep.
Examples include
- A FaceTime bug where you could end up sharing audio and video without realising (CVE-2022-22643).
- A MediaRemote bug (CVE-2022-22670) that could let rogue apps figure out what other software you’ve already installed.
- A Preferences flaw (CVE-2022-22609) by which an attacker could recover the security settings you’ve chosen for other apps.
- An ironic Sandbox security hole that could violate your privacy by leaking the privacy settings you’ve chosen for various apps (CVE-2022-22600).
- A sneaky pair of bugs in the macOS Login Window (CVE-2022-22647 and CVE-2022-22656) that could let someone see what your screen looked like just before you logged out, or even let them bypass the login window and get in directly as you.
Windows, too
Note that there’s also an update for iTunes on Windows (for Windows 10 and later).
This update closes a number of remote code execution bugs, including not only the abovementioned WebKit holes, but also various related image-handling bugs that could allow a booby-trapped file to take over your computer even if all you did was look at it.
What to do?
Here’s how to check for and get the updates if you don’t have them already:
- On your iPhone or iPad: Settings > General > Software Update
- On your Mac: Apple menu > About this Mac > Software Update…
- On Windows: iTunes > Help > Check for Updates (if you installed iTunes from the Microsoft Store, use Microsoft Store > Library > Get updates instead)
Don’t delay. Do it today!
The version numbers (or the designations of the installed security updates) that you should look for after you’ve updated are listed at the top of the article.