Apple again warns of serious security gaps that are probably being actively exploited. There are patches, but not for all systems and bugs. An overview.
Apple has released updates to close two vulnerabilities in its operating systems. The company is aware of reports that the gaps are being actively exploited, it said on Thursday night. Since then, a new, secure version of iOS 15, iPadOS 15 and macOS 12 Monterey has also been available for download. In the meantime, Apple has also pushed a Safari patch for the older macOS versions 11 Big Sur and 10.15 Catalina.
Vulnerabilities in WebKit and Kernel
According to the manufacturer, there is a vulnerability in the WebKit browser engine that allows malicious code to be injected and executed simply by opening a manipulated website. WebKit is not only in the Safari browser, but is used in many places in the operating system to display web content.
There is also a hole in the operating system kernel that allows apps to run arbitrary code with kernel privileges. It can be assumed that the vulnerabilities are used in combination: The code could be injected via the WebKit vulnerability and then executed with kernel rights in order to take control of the iPhone, iPad or Mac remotely.
According to Apple, the two bugs listed as CVE-2022-32893 and CVE-2022-32894 are based on an “out-of-bounds write” problem. So software is able to write outside of the allocated memory. The manufacturer explains that this has been remedied with the updates through better bound checking. The bugs are said to have been reported to the company by anonymous security researchers. No further details were given.
Import iOS 15.6.1 and macOS 12.5.1 yourself
If you haven’t already done so, iPhone, iPad and Mac users should download the updates immediately via the integrated software update and import them manually. The function can be found in the iOS and iPadOS settings under “General” in the “Software update” area, where iOS 15.6.1 and iPadOS 15.6.1 are available for download. Mac users can update to macOS 12.5.1 in System Preferences under Software Update. In macOS 11 and macOS 10.15 Safari 15.6.1 appears there.
Even those who have activated automatic updates should rather load the new versions manually. Apple’s automatic update usually takes its time, the patches are then only made after several days or weeks.
No updates for iOS 12, 13 and 14
Apple has not yet released any updates for older iOS and iPadOS versions. iOS/iPadOS 13 and 14 users can upgrade to iOS 15 to continue receiving such critical security updates. The two older operating system versions obviously no longer receive patches. There is also no update for iOS 12, and owners of iPhone 6 and 5s cannot update to a newer version either. According to Apple, almost 20 percent of active iPhones are still running a version older than iOS 15, as are almost 30 percent of iPads (as of the end of May 2022). Although it can be assumed that the older versions of the operating systems are also affected by the vulnerabilities, this has not yet been confirmed.
It is also unclear whether the recent beta of iOS 16, iPadOS 16 and macOS 13 is affected.
Half patch for older macOS versions
In macOS 11 Big Sur and macOS 10.15 Catalina, the Safari patch released by Apple only fixes the WebKit vulnerability and thus probably the gateway. There is no fix for the kernel bug for the older macOS versions. It is unclear whether they are affected. When asked, Apple merely referred to the security support page.
Active attacks on iOS & Co: Fourth Apple warning 2022
None of this is unusual: With almost every update, Apple eliminates gaps in WebKit that allow malicious code to be executed. It is also the fourth time this year that Apple has warned of active attacks when releasing security patches. In particular, the updates that have now been released out of sequence indicate that Apple considers the gaps to be serious.
iPhone and iPad users can do little more than keep their devices up to date with the latest software. WebKit is the engine used in iOS for all browsers, so using a browser other than Safari won’t help in this regard. Apple has not yet made any specific promises of updates for older operating system versions, patches are still being made available in isolated cases. It remains to be seen to what extent iOS 15 will receive further security updates after the release of iOS 16 in September.
Apple usually still provides security updates for the two versions of macOS that precede the current version, but not all vulnerabilities have been fixed in the past.
