Apple has released a security update to address various previously exploited vulnerabilities including one exploited in the wild. The security update covers the serious security bugs in macOS and iOS/iPadOS.
The first zero-day (CVE-2022-22587) is a memory corruption flaw that a malicious app might use to run arbitrary code with kernel privileges. The vulnerability affects iOS, iPadOS, and macOS Monterey, and Apple has increased input validation to fix it.
The second zero-day issue is a well-publicized WebKit flaw in the widely used Safari browser (CVE-2022-22594). The information exposure vulnerability affects macOS, iOS, and iPadOS browsers. FingerprintJS researchers revealed it last week, and it allows a snooping website to learn about other tabs a user may have open. The update consists of:
- tvOS 15.3
- Safari 15.3
- watchOS 8.4
- iOS and iPadOS 15.3
- macOS 12.2 (Big Sur 11.6.3, Monterey 12.2, Catalina 10.15)
iOS and iPadOS 15.3
iOS is a mobile operating system created and developed by Apple Inc. iPadOS is a mobile operating system developed by Apple Inc. Some of the vulnerabilities that affected these operating systems are as follows:
- CVE-2022-22584: A logic issue was addressed with improved validation.
- CVE-2022-22590: A logic issue was addressed with improved state management.
- CVE-2022-22579: A validation issue was addressed with improved input sanitization.
- CVE-2022-22587: A buffer overflow issue was addressed with improved memory handling.
- CVE-2022-22585: A memory corruption issue was addressed with improved input validation.
- CVE-2022-22589: A use after free issue was addressed with improved memory management.
- CVE-2022-22593: An information disclosure issue was addressed with improved state management.
- CVE-2022-22594: A cross-origin issue in the IndexDB API was addressed with improved input validation.
- CVE-2022-22578: An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization.
Customers can refer to the Apple Advisory to know about iOS and iPadOS 15.3.
macOS Big Sur 11.6.3
The current major release of macOS, Apple Inc.’s operating system for Macintosh computers, is macOS Big Sur (version 11). It is the successor to macOS Catalina (version 10.15).
Customers can refer to the Apple Advisory to know about the macOS Big Sur 11.6.3.
Safari 15.3
Safari is a web browser developed by Apple, which is based on the WebKit engine. The update is released to address a zero-day vulnerability that has been exploited in the wild.
Customers can refer to the Apple Advisory to know about Safari 15.3.
Qualys Detection
Qualys customers can scan their devices with QIDs 376365, 376366, 630774, and 610395 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.
References
https://support.apple.com/en-in/HT213053
https://support.apple.com/en-us/HT213055
https://support.apple.com/en-us/HT201222
https://threatpost.com/apple-zero-day-security-exploited/178040/