Apple has just sent out two security advisories covering two zero-day security holes, namely:
- Apple Bulletin HT213219: Kernel code execution bug CVE-2022-22675. This security fix is for iOS and iPadOS, both of which get updated to version 15.4.1.
- Apple Bulletin HT213220: Kernel code execution bug CVE-2022-22675 and kernel data leakage bug CVE-2022-22674. This security fix is for macOS Monterey, which gets updated to version 12.3.1.
No earlier versions of iOS, iPadOS or macOS seem to be affected by these bugs – or, more precisely, no updates for older versions have been published yet.
Apple, as ever, isn’t saying anything about the platforms that didn’t get updates, so it’s impossible to say whether they’re immune and thus unaffected, affected but simply being ignored, or affected and still awaiting updates that will show up in a few days. (The last of these does happen from time to time.)
Intriguingly, Apple’s core Security Updates page at HT201222 reports that there are updates denoted tvOS 15.4.1 and watchOS 8.5.1, but Apple merely remarks that these updates have “no published CVE entries”.
There’s no detail about what types of security flaw, if any, were addressed in the Apple Watch and Apple TV patches, so we can’t tell you whether these updates have any common ground with the zero-day fixes for Apple’s phones, tablets, laptops and desktop computers.
Jailbreaking and spyware a possibility
Ominously, given the world’s collective fear of cyberattacks and global hacking right now, each of the CVE-numbered bugs mentioned above is accompanied by Apple’s vague-as-usual wording that says, “Apple is aware of a report that this issue may have been actively exploited.”
In one word, that means: Zero-day!
A zero-day, of course, is a security hole that the Bad Guys not only found first, but also figured out how to exploit before any patches were available. (In other words, there were zero days on which you could have patched ahead of the exploit, even if you were the world’s most proactive patcher.)
Also, as we’ve pointed out before, kernel code execution flaws – where an unauthorised app or chunk of injected code doesn’t just take over a single application, but potentially gets unsandboxed access to the entire running system – are the most broadly dangerous sort of bug on iPhones and iPads.
Apple’s mobile devices are locked down much more tightly by default than computers running macOS, and while you can increase security on macOS, you aren’t supposed to be able to reduce security on iOS and iPadOS to bypass those default restrictions.
So, malware that gets unauthorised access to a single iPhone or iPad app might be able to run off with important personal data specific to that app – all your photos, perhaps, or your text message history – but isn’t supposed to be able to mess with any other apps or data on the device.
But malware with kernel control pretty much has access-all-areas privileges, meaning that it could be used for a total jailbreak (the jargon term for bypassing Apple’s strict security controls).
Likewise, kernel code execution bugs could be used for general-purpose spyware that could peek into, and perhaps even manipulate, all aspects of your digital life, including location data, IMs and text messages, emails, browsing history, contacts, phone records, photos, and much more.
What to do?
Patch early, patch often!
Most Apple users go for automatic updating, but that doesn’t mean you automatically get the update right away.
Apple understandably spreads out the delivery of its updates to prevent every Apple device in the world trying to update at exactly the same moment, which would clog up the process and slow things down, on average, for everyone.
So, even if you have automatic updating turned on, check for yourself anyway, and jump to the head of the queue if you haven’t received the update yet!
Here’s how to check your update status, and get the updates right away if you don’t have them already:
- On your iPhone or iPad: Settings > General > Software Update
- On your Mac: Apple menu > About this Mac > Software Update…
Take care out there!
Isaac Thepipe
The article is a little unclear. Is the iOS update form people who are currently running 15.4.1 or will the patch update iOS to 15.4.1?
Paul Ducklin
I thought my choice of words (top of article) was clear enough: “This update is for iOS and iPadOS, both of which go to version 15.4.1.” In other words, the version is 15.4.1 *after* the update. Or, if you prefer, you are updating *to* version 1.4.1.
Perhaps I will see if I can make it clearer still.
Paul Ducklin
Now it reads: “This security fix is for iOS and iPadOS, both of which get updated to 15.4.1”. I think that clarifies that the version number listed is what you see after the update, not before.
Jonathan
“(In oither words, there were zero days you could have been patched ahead of the exploit, even if you were the world’s most proactive patcher.)”
Wow, going for a record in grammatical and typographical errors in one sentence?
Paul Ducklin
I found a typo (oither -> other). But I can’t find any others. I am not saying that there aren’t any grammos in there, but it would have helped if you had said what you thought they were. There are two places where you might argue for a different sentence construction, e.g. avoid ellipsis by writing “zero days on which”, and prefer the active voice by writing “could have patched”. But I think that the use of “are you patched?” instead of “have you patched?” is unexceptionable, and reinforces the fact that for a well-organised patcher, automation really can help you “get patched” rather than always needing “to patch”.
What other mistakes have I missed? (I have made the two changes alluded to above anyway, just for something to do, but I am still at a loss to figure out the world record I am supposed to have broken.)
Claire
Speaking as a one-time English teacher – your sentence is acceptable, though perhaps not optimum.
Using the active voice instead of “you could have been patched” would be better, because the subsequent “… even if you were the world’s most proactive patcher” defines you as the agent doing the patching. You are not the thing being patched. You can perhaps see this better if you substitute the pedantic “one” for “you”.
The “you” in the first case refers to a composite person: you, and your computer system. The second “you” is more easily interpreted as referring to a single person. I would not call this an unacceptable grammatical error, but your corrected version is better.
{you asked!]
Paul Ducklin
As noted above, my original choice of “getting patched” was quite deliberate, and – as you say – cannot IMO be called an *error* (you can be a patcher, i.e. one who concerns yourself with patching in general, and nevertheless get patched by someone or something else in practice)…
…but my desperation was in re-re-reading the sentence to find the apparently world-beating number of mistakes. I still can’t find them, but the OP has not yet returned to explain where they are. Other than oither.
Torsten
Paul, I really enjoy your articles every day and I like to read them as they are, even with or maybe because of typos. Just keep it going! Don’t change anything!
Bryan
Hey Duck, I’ve not commented in a bit, but I’ll add this:
I like your articles. And part of that is your knowledge beyond the narrow scope of digital security. Every now and then I learn a new word as well.
Specifically here: I suspect it may boil down to labeling style preference as an error, requiring a fix.
If we’re straining for the Ultimate Nitpicky White Glove Test, I suppose I’m with Claire–and we could lament how
even if you were the world’s most proactive patcher
indicates the reader is doing the patchwork,
…while the passive voice of
you could have been patched
implies someone else is doing it for them, or at least leaves that interpretation optional.
But IMO (also with Claire) that’s not a hill I’d choose to die on–irrespective of which side I elected to support. Plus your automation example further erodes that distinction anyway.
Oither than that, I likewise didn’t find anything that’s patently an error.
:,)
4caster
“labelling”, unless you are American.
Paul Ducklin
Both spellings can be considered unexceptionable anywhere in the Anglosphere. For non-native English speakers, “labelling” does look as though you shold say “luh-BELL-ing”, although you can argue that “labeling” lends itself to a guessed pronunciation of “lu-BEAL-ing”. English spelling… it’s not only often entirely unphonetic (e.g ghoti could be pronounced “fish”), but also offers variants for many words. Having said that, “labeling” does admittedly look weird to me. (But not as weird as “focussing”, where Commonwealth English prefers the unduplicated form “focusing”.)
In an amazoing coincidence, the Klingon word for fish is “ghotI'”. What are the chances of THAT :-)
Bryan
While I prefer the British spelling of “grey” (and a handful of other words which don’t spring to mind ATM), I find more of the double-consonants-are-semi-optional words to look clumsy with than without.
travelling
labelling
cancelled
Not sure I’ve ever seen focussing until today–but seeing it spelled like that surely taxes my focus!
Paul Ducklin
Did it leave you feeling concused?
Bryan
…at least nonplused
Sue Quat
Picky. Have you nothing better to do?
Bryan
Wah wah…
I want my ad-free and non-subscription Internet content to also be impeccably pruned, triple-edited, and fully-warranted against typos, errors, or sub-optimal information.
I insist that providers preclude even any non-flawless sentence structure below the level of Pulitzer quality.
This I demand in the name of the gravesite of net-neutrality!
Good luck on the remainder of the interwebs buddy.
Should be a fun ride.
Paul Ducklin
That’s a compliment… I think :-)
Thanks.
Bryan
An implicit complement to be certain.
Rather than downvote Jonathan, I elected to traipse into the discussion with a snarky retort.
(who says we always have to choose the high road?)
Re-reading it I realize I’d forgotten a word; I intended to include “educational” in
ad-free and non-subscription Internet content
Ah well… I suppose there’s a lesson in there somewhere.
Paul Ducklin
“Muphry’s Law.” (Every comment about typos, grammos or other language blunders will contain at least one such blunder.)
Bryan
If that was intentional–I love it!
If not–I’m a little disappointed.
:,)
Paul Ducklin
It was intentional. Muphry’s Law is a real thing! Ask any online writer :-)
Buzz
“No earlier versions of iOS, iPadOS or macOS seem to be affected by these bug”..
Is macOS Monterey the only affected version?
In short.. Is there an easy way to check whether or not I need to do anything ?
Paul Ducklin
Try the steps given at the end of the article (Apple Menu > About this Mac > Software Update…)
As someone pointed out on our Twitter feed, it looks as though “Safari 15.4 got re-released” (I got an update on Catalina when I fired up my oldish MacBookm over the weekend):
https://twitter.com/Chasapple/status/1509931326899589123
There’s nothing official on Apple’s security portal page HT201222., but it’s worth doing an update check. If there is an update pending you’ll be able to fetch it; if not you’ll know you don’t need to.