We have been waiting for iOS 16, due to the recent Apple event in which the iPhone 14 and the upgraded hardware products were released to the public.
This morning, we made a file Settings > general > system updatejust in case…
…but nothing appeared.
But shortly before 8pm UK time [2022-09-12T18:31Z]a plethora of update notifications dropped in our inbox, announcing a strange mix of new and updated Apple products.
We even tried before reading the flyers Settings > general > system update Once again, this time we were offered an upgrade to iOS 15.7with an alternative upgrade that will take us straight to iOS 16:
Upgrade and upgrade available at the same time!
(We went to upgrade to iOS 16 – the download was just under 3GB, but once downloaded, the process went faster than we expected, and so far everything seems to be working fine.)
Make sure to update even if you haven’t upgraded
Just to be clear, if you don’t want to Raising the level of To iOS 16 so far, you still need to ModernizationBecause of iOS 15.7 And the iPadOS 15.7 The updates include several security patches, including a dubbed bug fix CVE-2022-32917.
The error, whose discovery is simply attributed to “Anonymous researcher”As follows:
[Bug patched in:] Kernel Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited. Description: The issue was addressed with improved bounds checks.
As we mentioned last time Apple Zero-Day Emergency Spots A kernel code execution error means that even innocent-looking apps (possibly including those that hit the App Store because they didn’t raise any obvious red flags when they checked) can be blasted free from Apple’s app-by-app security lock…
…and potentially hijacking the entire device, including the right to perform system operations such as using the camera or cameras, activating the microphone, obtaining location data, taking screenshots, or snooping on network traffic before it is encrypted ( or after decrypting them), access files belonging to other applications, and much more.
If this “problem” (or safety hole As you might prefer to call it) actively exploited in the wild, it is logical to conclude that there were apps that users actually installed, which they thought was a reliable source, even though those apps contained activation code and abused this vulnerability.
Interestingly enough, macOS 11 (Big Sur) is getting its own update to macOS 11.7which patches a hole on the second zero day called CVE-2022-32894described in exactly the same words as the zero-day flyer for iOS quoted above.
However, CVE-2022-32894 is only listed as a Big Sur error, as the latest versions of macOS 12 (Monterey), iOS 15, iPadOS 15, and iOS 16 appear to be unaffected.
Remember that a vulnerability that was only fixed after the bad guys actually figured out how to exploit it is known as zero day Because there has never been a day when even the fiercest user or sysadmin could proactively patch it.
Updates announced in this round of handouts include the following.
We’ve listed them below in the order in which they arrived via email (reverse numerical order) so that iOS 16 appears at the bottom:
- APPLE-SA-2022-09-12-5: Safari 16. This update applies to macOS Big Sur (version 11) and Monterey (version 12). Safari update for macOS 10 (Catalina) is not listed. A couple of the bugs fixed can lead to remote code execution, which means that a booby-trapped website could plant malware on your computer (which could later misuse CVE-2022-32917 to take over at the kernel level), Although none of these errors are listed as zero days. (We see HT213442.)
- APPLE-SA-2022-09-12-4: macOS Monterey 12.6.1 Update This update can be considered urgent, as it includes a fix for CVE-2022-32917. (We see HT213444.)
- APPLE-SA-2022-09-12-3: macOS Big Sur 11.7.0 Update A similar slice of patches to the ones above for macOS Monterey, including CVE-2022-32917 Zero-day. This Big Sur update also patches CVE-2022-32894, the second day of the kernel described above. (We see HT213443.)
- APPLE-SA-2022-09-12-2: iOS 15.7 And the iPadOS 15.7 As mentioned at the beginning of the article, these updates patch CVE-2022-32917. (We see HT213445.)
- APPLE-SA-2022-09-12-1: iOS 16 The biggest one! In addition to a host of new features, this includes separately delivered Safari patches for macOS (see the top of this list) and a CVE-2022-32917 fix. Interestingly, the iOS 16 Upgrade Bulletin recommends this “[a]Additional entries for CVE [are] to be added soon”, but does not refer to CVE-2022-23917 as day zero. Whether it’s because iOS 16 hasn’t been officially considered “in the wild” per se, or because the known vulnerability doesn’t yet work on an unpatched iOS 16 Beta, we can’t tell you. But it seems that the bug has already been transferred from iOS 15 to iOS 16 database. (See HT213446.)
What do I do?
as always, Patch early, patch often.
Full Upgrade from iOS 15 to iOS 16.0since it reports itself after installation, it will fix known bugs in iOS 15. (We haven’t yet seen an announcement for iPadOS 16.)
If you are not ready to upgrade yet, be sure to upgrade to iOS 15.7due to a hole in the zero-day nucleus.
On iPads, for which iOS 16 isn’t mentioned yet, get iPadOS 15.7 For now – don’t stop waiting for iPadOS 16 to come out, since you’ll be needlessly leaving yourself exposed to a known exploitable kernel flaw.
On Macs, Monterey and Big Sur get a double update, one for the Safari patch, which becomes Safari 16and one for the operating system itself, which will take you to macOS 11.7 (Big Sur) or macOS 12.6 (Monterey).
There’s no iOS 12 patch this time around, and no mention of macOS 10 (Catalina) — whether Catalina is no longer supported now, or simply too old to have any of these bugs, we can’t tell you.
Watch this space for any CVE updates!