Apple has disgorged its newest patches, fixing greater than 50 CVE-numbered safety vulnerabilities in its vary of supported merchandise.
The related safety bulletins, replace numbers, and the place to search out them on-line are as follows:
- APPLE-SA-2022-07-20-1: iOS 15.6 and iPadOS 15.6, particulars at HT213346
- APPLE-SA-2022-07-20-2: macOS Monterey 12.5, particulars at HT213345
- APPLE-SA-2022-07-20-3: macOS Massive Sur 11.6.8, particulars at HT213344
- APPLE-SA-2022-07-20-4: Safety Replace 2022-005 Catalina, particulars at HT213343
- APPLE-SA-2022-07-20-5: tvOS 15.6, particulars at HT213342
- APPLE-SA-2022-07-20-6: watchOS 8.7, particulars at HT213340
- APPLE-SA-2022-07-20-7: Safari 15.6, particulars at HT213341
As regular with Apple, the Safari browser patches are bundled into the updates for the most recent macOS (Monterey), in addition to into the updates for iOS and iPad OS.
However the updates for the older variations of macOS don’t embrace Safari, so the standalone Safari replace (see HT213341 above) due to this fact applies to customers of earlier macOS variations (each Massive Sur and Catalina are nonetheless formally supported), who might want to obtain and set up two updates, not only one.
An honorary zero-day
By the best way, when you’ve obtained a Mac with an earlier model of macOS, don’t overlook about that second obtain for Safari, as a result of it’s vitally essential, at the very least so far as we are able to see.
That’s as a result of one of many browser-related patches on this spherical of updates offers with a vulnerability in WebRTC (net real-time communications) referred to as CVE-2022-2294…
…and if that quantity sounds acquainted, it ought to, as a result of it’s the identical bug that was mounted as a zero-day by Google in Chrome (and by Microsoft in Edge) about two weeks in the past:
Intriguingly, Apple hasn’t declared any of this month’s vulnerabilities as “reported to be within the wild”, or as “zero-day bugs”, regardless of the abovementioned patch that was dubbed a zero-day gap by Google.
Whether or not that’s as a result of the bug isn’t as straightforward to take advantage of in Safari, or just because nobody has traced again any Safari-specific misbehaviour to this specific flaw, we are able to’t let you know, however we’re treating it as an “honorary zero-day” vulnerability, and patching zealously because of this.
Pwn2Own gap closed
Apple has additionally apparently mounted the bug discovered by German cybersecurity researcher Manfred Paul on the latest Pwn2Own competitors in Canada, again in Could 2022.
— Bare Safety (@NakedSecurity) Could 20, 2022
Manfred Paul exploited Firefox with a two-stage bug that earned him $100,000 ($50,000 for every half), and obtained into Safari as properly, for an extra $50,000 bounty.
Certainly, Mozilla printed its repair for Paul’s bugs inside two days of receiving his report at Pwn2Own:
Apple, in distinction, took two months to ship its post-Pwn2Own patch:
Affect: Processing maliciously crafted net content material might result in arbitrary code execution
Description: An out-of-bounds write difficulty was addressed with improved enter validation.
CVE-2022-32792: Manfred Paul (@_manfp) working with Development Micro Zero Day Initiative [Pwn2Own]
Bear in mind, nonetheless, that accountable disclosure is a part of the Pwn2Own competitors, that means that anybody claiming a prize is required not solely at hand over full particulars of their exploit to the affected vendor, but in addition to maintain quiet in regards to the vulnerabiity till the patch is out.
In different phrases, as laudable and thrilling as Mozilla’s two-day patch supply time might have been, Apple’s a lot slower response is nonetheless acceptable.
The stay video streams you might have seen from Pwn2Own served to point whether or not every competitor’s assault succeeded, slightly than to disclose any details about how the assault really labored. The video shows utilized by the opponents had their backs to the digital camera, so you possibly can see the faces of the opponents and adjudicators, however not what they had been typing or .
As regular, the quite a few bugs patched by Apple in these updates embrace vulnerabilities that would, in principle, be chained collectively by decided attackers.
A bug listed with the proviso that “an app with root privileges might be able to execute arbitrary code with kernel privileges” doesn’t sound terribly worrying at first.
In spite of everything, if an attacker already has root powers, they’re just about accountable for your laptop anyway.
However whenever you discover a bug elsewhere within the system that’s listed with the warning that “an app might be able to acquire root privileges”, you’ll be able to see how the latter vulnerability could possibly be a handy and unauthorised stepping stone to the previous.
And whenever you additionally discover a picture rendering bug described as “processing a maliciously crafted file might result in arbitrary code execution”, you’ll be able to shortly see that:
- A booby-trapped net web page may comprise a picture that launches untrusted code.
- That untrusted code may implant a low-privilege app.
- The undesirable app may purchase root powers for itself.
- The now-root app may inject its personal rogue code into the kernel.
In different phrases, theoretically at the very least, simply an apparently harmless web site…
…may ship you tumbling right into a cascade of hassle, identical to the well-known saying that goes, “For need of a nail, the shoe was misplaced; for need of a shoe, the horse was misplaced; for need of a horse, the message was misplaced; for need of a message, the battle was misplaced… all for the need of a horseshoe nail.”
What to do?
That’s why, as all the time, we suggest that you simply patch early; patch usually; patch the whole lot.
Apple, to its credit score, makes patching the whole lot the default: you don’t get to decide on which patches to deploy and which to go away “for later”.
The one exception to this rule, as we famous above, is that for macOS Massive Sur and macOS Catalina, you’ll obtain the majority of the working system updates in a single big obtain, adopted by a separate download-and-update course of to put in the most recent model of Safari.
- In your iPhone or iPad: Settings > Basic > Software program Replace
- In your Mac: Apple menu > About this Mac > Software program Replace…