Site icon Sophos News

Apple patches zero-day holes – even in the brand new iOS 16

We’ve been waiting for iOS 16, given Apple’s recent Event at which the iPhone 14 and other upgraded hardware products were launched to the public.

This morning, we did a Settings > General > Software Update, just in case…

…but nothing showed up.

But some time shortly before 8pm tonight UK time [2022-09-12T18:31Z], a raft of update notifications dropped into our inbox, announcing a curious mix of new and updated Apple products.

Even before we read through the bulletins, we tried Settings > General > Software Update again, and this time we were offered an upgrade to iOS 15.7, with an alternative upgrade that would take us straight to iOS 16:

An update and an upgrade available at the same time!

(We went for the upgrade to iOS 16 – the download was just under 3GB, but once downloaded the process went faster than we expected, and everything thus far seems to be working just fine.)

Be sure to update even if you don’t upgrade

Just to be clear, if you don’t want to upgrade to iOS 16 just yet, you still need to update, because the iOS 15.7 and iPadOS 15.7 updates include numerous security patches, including a fix for a bug dubbed CVE-2022-32917.

The bug, the discovery of which is credited simply to “an anonymous researcher”, is described as follows:

[Bug patched in:] Kernel

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved bounds checks.

As we pointed out when Apple’s last emergency zero-day patches came out, a kernel code execution bug means that even innocent-looking apps (perhaps including apps that made it into the App Store because they raised no obvious red flags when examined) could burst free from Apple’s app-by-app security lockdown…

…and potentially take over the entire device, including grabbing the right to perform system operations such as using the camera or cameras, activating the microphone, acquiring location data, taking screenshots, snooping on network traffic before it gets encrypted (or after it’s been decrypted), accessing files belonging to other apps, and much more.

If, indeed, this “issue” (or security hole as you might prefer to call it) has been actively exploited in the wild, it’s reasonable to infer that there are apps out there that unsuspecting users have already installed, from what they thought was a trusted source, even though those apps contained code to activate and abuse this vulnerability.

Intriguingly, macOS 11 (Big Sur) gets its own update to macOS 11.7, which patches a second zero-day hole dubbed CVE-2022-32894, described in exactly the same words as the iOS zero-day bulletin quoted above.

However, CVE-2022-32894 is listed as a Big Sur bug only, with the more recent operating system versions macOS 12 (Monterey), iOS 15, iPadOS 15 and iOS 16 apparently unaffected.

Remember that a security hole that was only fixed after the Bad Guys had already figured out how to exploit it is known as a zero-day because there were zero days during which even the keenest user or sysadmin could have patched against it proactively.

The full story

The updates announced in this round of bulletins include the following.

We’ve listed them below in the order they arrived by email (reverse numeric order) so that iOS 16 appears at the bottom:

What to do?

As always, Patch Early, Patch Often.

A full-blown upgrade from iOS 15 to iOS 16.0, as it reports itself after installation, will patch the known bugs in iOS 15. (We’ve not yet seen an announcement for iPadOS 16.)

If you’re not ready for the upgrade yet, be sure to upgrade to iOS 15.7, because of the zero-day kernel hole.

On iPads, for which iOS 16 isn’t yet mentioned, grab iPadOS 15.7 right now – don’t hang back waiting for iPadOS 16 to come out, given that you’d be leaving yourself needlessly exposed to a known exploitable kernel flaw.

On Macs, Monterey and Big Sur get a double-update, one to patch Safari, which becomes Safari 16, and one for the operating system itself, which will take you to macOS 11.7 (Big Sur) or macOS 12.6 (Monterey).

No patch for iOS 12 this time, and no mention of macOS 10 (Catalina) – whether Catalina is now no longer supported, or simply too old to include any of these bugs, we can’t tell you.

Watch this space for any CVE updates!


Exit mobile version