Headline
Apple Quietly Releases Another Patch for Zero-Day RCE Bug
Apple continues a staged update process to address a WebKit vulnerability that allows attackers to craft malicious Web content to load malware on affected devices.
Apple has quietly rolled out more updates to iOS to fix an actively exploited zero-day security vulnerability that it patched earlier this month in newer devices. The vulnerability, found in WebKit, can allow attackers to create malicious Web content that allows remote code execution (RCE) on a user’s device.
An update released Wednesday, iOS 12.5.6, applies to the following models: iPhone 5S, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch 6th generation.
The flaw in question (CVE-2022-32893) is described by Apple as an out-of-bounds write issue in WebKit. It was addressed in the patch with improved bounds checking. Apple acknowledged that the bug is under active exploit, and is urging users of affected devices to update immediately.
Apple had already patched the vulnerability for some devices — alongside a kernel flaw tracked as CVE-2022-32894 — earlier in August in iOS 15.6.1. That’s an update that covered iPhone 6S and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
The latest round of patches appears to be Apple covering all its bases by adding protection for iPhones running older versions of iOS, noted security evangelist Paul Ducklin.
“We’re guessing that Apple must have come across at least some high-profile (or high-risk, or both) users of older phones who were compromised in this way, and decided to push out protection for everyone as a special precaution,” he wrote in a post on the Sophos Naked Security blog.
The dual coverage by Apple to fix the bug in both versions of iOS is due to the change in which versions of the platform run on which iPhones, Ducklin explained.
Before Apple released iOS 13.1 and iPadOS 13.1, iPhones and iPads used the same operating system, referred to as iOS for both devices, he said. Now, iOS 12.x covers iPhone 6 and earlier devices, while iOS 13.1 and later versions run on iPhone 6s and devices released after.
The other zero-day flaw that Apple patched earlier this month, CVE-2022-32894, was a kernel vulnerability that can allow for entire device takeover. But while iOS 13 was affected by that flaw — and thus got a patch for it in the earlier update — it does not affect iOS 12, Ducklin observed, “which almost certainly avoids the risk of total compromise of the operating system itself” on older devices, he said.
WebKit: A Wide Cyberattack Surface
WebKit is the browser engine that powers Safari and all other third-party browsers that work on iOS. By exploiting CVE-2022-32893, a threat actor can build malicious content into a website. Then, if someone visits the site from an affected iPhone, the actor can remotely execute malware on his or her device.
WebKit in general has been a persistent thorn in Apple’s side when it comes to exposing users to vulnerabilities because it spreads beyond iPhones and other Apple devices to other browsers that use it — including Firefox, Edge, and Chrome — putting potentially millions of users at risk from a given bug.
“Remember that WebKit bugs exist, loosely speaking, at the software layer below Safari, so that Apple’s own Safari browser isn’t the only app at risk from this vulnerability,” Ducklin observed.
Moreover, any app that displays Web content on iOS for purposes other than general browsing — such as in its help pages, its “About” screen, or even in a built-in “minibrowser” — uses WebKit under the hood, he added.
“In other words, just ‘avoiding Safari’ and sticking to a third-party browser is not a suitable workaround [for WebKit bugs],” Ducklin wrote.
Apple Under Attack
While users and professionals alike have traditionally considered Apple’s Mac and iOS platforms as more secure than Microsoft Windows — and this has generally been true for a number of reasons — the tide is beginning to turn, experts say.
Indeed, an emerging threat landscape showing more interest in targeting more ubiquitous Web technologies and not the OS itself has widened the target on Apple’s back, according to a threat report released in January, and the company’s defensive patching strategy reflects this.
Apple has patched at least four zero-day flaws this year, with two patches for previous iOS and macOS vulnerabilities coming in January and one in February — the latter of which fixed another actively exploited issue in WebKit.
Moreover, last year 12 of 57 zero-day threats that researchers from Google’s Project Zero tracked were Apple-related (i.e., more than 20%), with issues affecting macOS, iOS, iPadOS, and WebKit.
Related news
This issue was addressed with improved entitlements. This issue is fixed in iOS 16, watchOS 9. An app may be able to read a persistent device identifier.
Supply chain attacks were all the rage in 2020 after SolarWinds, but we seem to have forgotten how important they are.
Tech giant Apple on Monday rolled out updates to remediate a zero-day flaw in iOS and iPadOS that it said has been actively exploited in the wild. The weakness, given the identifier CVE-2022-42827, has been described as an out-of-bounds write issue in the Kernel, which could be abused by a rogue application to execute arbitrary code with the highest privileges. Successful exploitation of
The issue was addressed with improved bounds checks. This issue is fixed in macOS Monterey 12.6, iOS 15.7 and iPadOS 15.7, iOS 16, macOS Big Sur 11.7. An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited..
An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32893: webkitgtk: processing maliciously crafted web content may lead to arbitrary code execution
Ubuntu Security Notice 5611-1 - Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.
Apple has released another round of security updates to address multiple vulnerabilities in iOS and macOS, including a new zero-day flaw that has been used in attacks in the wild. The issue, assigned the identifier CVE-2022-32917, is rooted in the Kernel component and could enable a malicious app to execute arbitrary code with kernel privileges. "Apple is aware of a report that this issue may
Apple Security Advisory 2022-08-31-1 - iOS 12.5.6 addresses code execution and out of bounds write vulnerabilities.
Apple Security Advisory 2022-08-31-1 - iOS 12.5.6 addresses code execution and out of bounds write vulnerabilities.
Gentoo Linux Security Advisory 202208-39 - Multiple vulnerabilities have been found in WebkitGTK+, the worst of which could result in the arbitrary execution of code. Versions less than 2.36.7 are affected.
Apple on Wednesday backported security updates to older iPhones, iPads, and iPod touch devices to address a critical security flaw that has been actively exploited in the wild. The issue, tracked as CVE-2022-32893 (CVSS score: 8.8), is an out-of-bounds write issue affecting WebKit that could lead to arbitrary code execution when processing maliciously crafted web content. The tech
Apple on Wednesday backported security updates to older iPhones, iPads, and iPod touch devices to address a critical security flaw that has been actively exploited in the wild. The issue, tracked as CVE-2022-32893 (CVSS score: 8.8), is an out-of-bounds write issue affecting WebKit that could lead to arbitrary code execution when processing maliciously crafted web content. The tech
By Jon Munshaw. Welcome to this week’s edition of the Threat Source newsletter. Russia’s invasion of Ukraine was once the most talked about story in the world. Six months into the conflict, modern attention spans have moved on to other news stories. But Ukraine Independence Day yesterday should serve as a reminder to everyone that the threats to Ukraine have not gone anywhere. The country still faces a physical conflict with Russia every day that seemingly has no easy end, and the barrage of cyber attacks is suspected to continue. As discussed in our livestream yesterday, Talos continues to see evolving cybersecurity threats in the region, including the most recent GoMet backdoor. And as Joe Marshall highlighted in his blog post last week, Ukraine’s agriculture industry — which is vital to the global food supply chain — remains vulnerable to kinetic and virtual attacks. Because there’s been no one major cyber attack against Ukraine since Russia’s invasion began, the larg...
By Jon Munshaw. Welcome to this week’s edition of the Threat Source newsletter. Russia’s invasion of Ukraine was once the most talked about story in the world. Six months into the conflict, modern attention spans have moved on to other news stories. But Ukraine Independence Day yesterday should serve as a reminder to everyone that the threats to Ukraine have not gone anywhere. The country still faces a physical conflict with Russia every day that seemingly has no easy end, and the barrage of cyber attacks is suspected to continue. As discussed in our livestream yesterday, Talos continues to see evolving cybersecurity threats in the region, including the most recent GoMet backdoor. And as Joe Marshall highlighted in his blog post last week, Ukraine’s agriculture industry — which is vital to the global food supply chain — remains vulnerable to kinetic and virtual attacks. Because there’s been no one major cyber attack against Ukraine since Russia’s invasion began, the larg...
An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.6.1 and iPadOS 15.6.1, macOS Monterey 12.5.1. An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.6.1 and iPadOS 15.6.1, macOS Monterey 12.5.1. An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.6.1 and iPadOS 15.6.1, macOS Monterey 12.5.1, Safari 15.6.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
The fact that the flaws enable remote code execution, exist across all major Apple OS technologies, and are being actively exploited heightens the need for a quick response.
Apple Security Advisory 2022-08-18-1 - Safari 15.6.1 addresses code execution and out of bounds write vulnerabilities.
Apple Security Advisory 2022-08-17-1 - iOS 15.6.1 and iPadOS 15.6.1 addresses code execution and out of bounds write vulnerabilities.
Apple Security Advisory 2022-08-17-2 - macOS Monterey 12.5.1 addresses code execution and out of bounds write vulnerabilities.
Apple Security Advisory 2022-08-17-2 - macOS Monterey 12.5.1 addresses code execution and out of bounds write vulnerabilities.
Separate fixes to macOS and iOS patch respective flaws in the kernel and WebKit that can allow threat actors to take over devices and are under attack.
Separate fixes to macOS and iOS patch respective flaws in the kernel and WebKit that can allow threat actors to take over devices and are under attack.
Categories: Exploits and vulnerabilities Categories: News Tags: macOS Tags: iOS Tags: CVE-2022-32894 Tags: CVE-2022-32893 Tags: kernel privileges Tags: WebKit Tags: actively exploited Tags: watering hole Tags: exploit kit Apple has released emergency security updates to fix two zero-day vulnerabilities previously exploited by attackers to hack iPhones, iPads, or Macs. (Read more...) The post Urgent update for macOS and iOS! Two actively exploited zero-days fixed appeared first on Malwarebytes Labs.
Apple on Wednesday released security updates for iOS, iPadOS, and macOS platforms to remediate two zero-day vulnerabilities previously exploited by threat actors to compromise its devices. The list of issues is below - CVE-2022-32893 - An out-of-bounds issue in WebKit which could lead to the execution of arbitrary code by processing a specially crafted web content CVE-2022-32894 - An
Apple on Wednesday released security updates for iOS, iPadOS, and macOS platforms to remediate two zero-day vulnerabilities previously exploited by threat actors to compromise its devices. The list of issues is below - CVE-2022-32893 - An out-of-bounds issue in WebKit which could lead to the execution of arbitrary code by processing a specially crafted web content CVE-2022-32894 - An