Headline
CVE-2022-32872: About the security content of iOS 15.7 and iPadOS 15.7
A logic issue was addressed with improved restrictions. This issue is fixed in iOS 16, iOS 15.7 and iPadOS 15.7. A person with physical access to an iOS device may be able to access photos from the lock screen.
Released September 12, 2022
Contacts
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: An app may be able to bypass Privacy preferences
Description: This issue was addressed with improved checks.
CVE-2022-32854: Holger Fuhrmannek of Deutsche Telekom Security
Kernel
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: The issue was addressed with improved memory handling.
CVE-2022-32911: Zweig of Kunlun Lab
Kernel
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: An app may be able to disclose kernel memory
Description: The issue was addressed with improved memory handling.
CVE-2022-32864: Linus Henze of Pinauten GmbH (pinauten.de)
Kernel
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
Description: The issue was addressed with improved bounds checks.
CVE-2022-32917: an anonymous researcher
Maps
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: An app may be able to read sensitive location information
Description: A logic issue was addressed with improved restrictions.
CVE-2022-32883: Ron Masas, breakpointhq.com
MediaLibrary
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A user may be able to elevate privileges
Description: A memory corruption issue was addressed with improved input validation.
CVE-2022-32908: an anonymous researcher
Safari
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Visiting a malicious website may lead to address bar spoofing
Description: This issue was addressed with improved checks.
CVE-2022-32795: Narendra Bhati of Suma Soft Pvt. Ltd. Pune (India) @imnarendrabhati
Safari Extensions
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A website may be able to track users through Safari web extensions
Description: A logic issue was addressed with improved state management.
WebKit Bugzilla: 242278
CVE-2022-32868: Michael
Shortcuts
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A person with physical access to an iOS device may be able to access photos from the lock screen
Description: A logic issue was addressed with improved restrictions.
CVE-2022-32872: Elite Tech Guru
WebKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A buffer overflow issue was addressed with improved memory handling.
WebKit Bugzilla: 241969
CVE-2022-32886: P1umer, afang5472, xmzyshypnc
WebKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: An out-of-bounds read was addressed with improved bounds checking.
WebKit Bugzilla: 242762
CVE-2022-32912: Jeonghoon Shin (@singi21a) at Theori working with Trend Micro Zero Day Initiative
Related news
Gentoo Linux Security Advisory 202305-32 - Multiple vulnerabilities have been found in WebkitGTK+, the worst of which could result in arbitrary code execution. Versions greater than or equal to 2.40.1 are affected.
Red Hat Security Advisory 2023-2834-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include buffer overflow, bypass, code execution, information leakage, out of bounds write, and use-after-free vulnerabilities.
An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32886: A vulnerability was found in webkitgtkm, where a buffer overflow issue was addressed with improved memory handling. Processing maliciously crafted web content may lead to arbitrary code execution. * CVE-2022-32888: A vulnerability was found in webkitgtk, where an out-of-bounds read was addressed with improved bounds checking. Processing mali...
Red Hat Security Advisory 2023-2256-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include buffer overflow, bypass, code execution, information leakage, out of bounds write, and use-after-free vulnerabilities.
An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32886: A vulnerability was found in webkitgtkm, where a buffer overflow issue was addressed with improved memory handling. Processing maliciously crafted web content may lead to arbitrary code execution. * CVE-2022-32888: A vulnerability was found in webkitgtk, where an out-of-bounds read was addressed with improved bounds checking. Processing mali...
Apple on Tuesday rolled out security updates to iOS, iPadOS, macOS, tvOS, and Safari web browser to address a new zero-day vulnerability that could result in the execution of malicious code. Tracked as CVE-2022-42856, the issue has been described by the tech giant as a type confusion issue in the WebKit browser engine that could be triggered when processing specially crafted content, leading to
A use after free issue was addressed with improved memory management. This issue is fixed in tvOS 16, iOS 16, watchOS 9. An app may be able to execute arbitrary code with kernel privileges.
A logic issue was addressed with improved state management. This issue is fixed in iOS 16. Deleted contacts may still appear in spotlight search results.
This issue was addressed with improved entitlements. This issue is fixed in iOS 16, watchOS 9. An app may be able to read a persistent device identifier.
A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13. Processing a maliciously crafted image may lead to arbitrary code execution.
Apple Security Advisory 2022-10-27-14 - Safari 16 addresses buffer overflow, code execution, out of bounds read, and spoofing vulnerabilities.
Apple Security Advisory 2022-10-27-13 - watchOS 9 addresses buffer overflow, bypass, code execution, out of bounds read, out of bounds write, spoofing, and use-after-free vulnerabilities.
Apple Security Advisory 2022-10-27-11 - tvOS 16 addresses buffer overflow, code execution, out of bounds read, out of bounds write, spoofing, and use-after-free vulnerabilities.
Supply chain attacks were all the rage in 2020 after SolarWinds, but we seem to have forgotten how important they are.
Tech giant Apple on Monday rolled out updates to remediate a zero-day flaw in iOS and iPadOS that it said has been actively exploited in the wild. The weakness, given the identifier CVE-2022-42827, has been described as an out-of-bounds write issue in the Kernel, which could be abused by a rogue application to execute arbitrary code with the highest privileges. Successful exploitation of
Such exploits sell for up to $10 million, making them the single most valuable commodity in the cybercrime underworld.
Ubuntu Security Notice 5642-1 - Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.
By Jon Munshaw. Welcome to this week’s edition of the Threat Source newsletter. Public schools in the United States already rely on our teachers for so much — they have to be educators, occasional parental figures, nurses, safety officers, law enforcement and much more. Slowly, they’re having to add “IT admin” to their list of roles. Educational institutions have increasingly become a target for ransomware attacks, an issue already highlighted this year by a major cyber attack on the combined Los Angeles school district in California that schools are still recovering from. Teachers there reported that during the week of the attack, they couldn’t enter attendance, lost lesson plans and presentations, and had to scrap homework plans. Technology has become ever-present in classrooms, so any minimal disruption in a school’s network or software can throw pretty much everything off. The last thing teachers need to worry about now is defending against a well-funded threat act...
Apple Security Advisory 2022-09-12-5 - Safari 16 addresses buffer overflow, code execution, out of bounds read, and spoofing vulnerabilities.
Apple Security Advisory 2022-09-12-5 - Safari 16 addresses buffer overflow, code execution, out of bounds read, and spoofing vulnerabilities.
Apple Security Advisory 2022-09-12-5 - Safari 16 addresses buffer overflow, code execution, out of bounds read, and spoofing vulnerabilities.
Apple Security Advisory 2022-09-12-4 - macOS Monterey 12.6 addresses bypass and code execution vulnerabilities.
Apple Security Advisory 2022-09-12-4 - macOS Monterey 12.6 addresses bypass and code execution vulnerabilities.
Apple Security Advisory 2022-09-12-4 - macOS Monterey 12.6 addresses bypass and code execution vulnerabilities.
Apple Security Advisory 2022-09-12-4 - macOS Monterey 12.6 addresses bypass and code execution vulnerabilities.
Apple Security Advisory 2022-09-12-4 - macOS Monterey 12.6 addresses bypass and code execution vulnerabilities.
Categories: Exploits and vulnerabilities Categories: News Apple has patched an actively-exploited flaw that affects a host of devices and software, including iPhones, Macs, iPads, and iPod touch. (Read more...) The post Important update! iPhones, Macs, and more vulnerable to zero-day bug appeared first on Malwarebytes Labs.
Apple has released another round of security updates to address multiple vulnerabilities in iOS and macOS, including a new zero-day flaw that has been used in attacks in the wild. The issue, assigned the identifier CVE-2022-32917, is rooted in the Kernel component and could enable a malicious app to execute arbitrary code with kernel privileges. "Apple is aware of a report that this issue may