Site icon Sophos News

Updates to Apple’s zero-day update story – iPhone and iPad users read this!

Regular readers will know two things about our attitude to Apple’s security patches:

Apple’s latest security bulletins, which came out earlier this very week, seem to exemplify how the company sometimes seems to increase confusion by saying too little… which is not always a happy alternative to finding out too much:

https://nakedsecurity.sophos.com/2022/10/25/apple-megaupdate-ventura-out-ios-and-ipad-kernel-zero-day-act-now/

Emergent confusion

Based on the enquiries and comments we’ve received from readers in the past few days, the following confusion emerged:

As we said in yesterday’s podcast, faced with the fourth question above from a concerned reader, our short answer was simply, “DUCK: Don’t know./DOUG: Clear as mud.”

Sometimes, security bugs in operating system version X simply don’t apply to version X-1, for example because the bugs exist in code that was only added, or only exposed to danger, in newer releases.

But we’ve also seen Apple fail to produce updates for previous versions for two other reasons, either [a] because an update is genuinely needed, but turned out to be too tricky to get ready and test in time, or [b] because the previous version was now considered out of support, and wasn’t going to get an update, whether necessary or not.

And with Apple security bulletins almost always only telling you about patches that are available right now, missing updates regularly remain an unexplained (and unexplainable) mystery.

A blast of bulletins

Well, this morning we received a blast of 15 security bulletin emails from Apple , most of them listing many of the CVE-numbered bugs and security problems reported in the bulletins we’d already seen earlier in the week.

None of them directly clarified the first three questions above, although we now assume that the reason for Apple referring to “iPadOS 16” as well as to “iPadOS 16.1” was a possibly misguided attempt to convey the information that iPadOS was now getting its belated upgrade to version family 16, as well as getting an update equivalent in security fixes to the new iOS 16.1.

But the very first bulletin in the latest salvo from Apple did solve the last question listed above, by announcing iOS/iPadOS 15.7.1, which turns out to be a critical fix:

APPLE-SA-2022-10-27-1: iOS 15.7.1 and iPadOS 15.7.1

iOS 15.7.1 and iPadOS 15.7.1 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213490.

[. . .]

Kernel
Available for: iPhone 6s and later, iPad Pro (all models), 
iPad Air 2 and later, iPad 5th generation and later, 
iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code 
with kernel privileges. Apple is aware of a report that this 
issue may have been actively exploited.

Description: An out-of-bounds write issue was addressed with 
improved bounds checking.

CVE-2022-42827: an anonymous researcher

So, iOS/iPadOS 15 is still supported, and if you didn’t bite the bullet and upgrade to iOS 16.1 (or to the schismatically named iPadOS 16-that-is-also-16.1) earlier in the week…

…then you should make sure you get iOS/iPadOS 15.7.1 right away, because the CVE-2022-42827 kernel zero-day hole fixed in iOS 16.1 is right there in iOS/iPadOS 15.7, under active exploitation.

In other words, this was one of those cases where the reason for the missing update a few days ago was almost certainly simply that the patches weren’t ready in time.

What to do?

TL;DR if you’re an iPhone or iPad user: if you’re still on iOS/iPadOS major version 15, go to Settings > General > Security Update right away.

Check even if you’ve got automatic updates turned on, and remember not only to approve the download if you don’t have it already, but also to force your device though the install stage, which requires one or more reboots (and does, of course, take your phone or tablet offline for a while).

TL;DR if you’re Apple: a little more clarity would go a long way in security bulletins, especially when you know either that a critical update is in the wings for users of earlier versions, or that they won’t be needing an update because their version isn’t affected.

By the way, if you decided to jump ahead to iOS/iPadOS 16.1 earlier this week, just to be safe…

…you can’t now go back to iOS/iPadOS 15.7.1, because Apple doesn’t allow downgrades.

(Downgrades facilitates jailbreaking, which Apple aims to prevent, and in any case would require a full data wipe first to prevent a downgrade being used as a malevolent “bring your own bug” security bypass to exfiltrate personal information.)


Exit mobile version