Apple has disgorged its newest patches, fixing greater than 50 CVE-numbered safety vulnerabilities in its vary of supported merchandise.
The related safety bulletins, replace numbers, and the place to seek out them on-line are as follows:
- APPLE-SA-2022-07-20-1: iOS 15.6 and iPadOS 15.6, particulars at HT213346
- APPLE-SA-2022-07-20-2: macOS Monterey 12.5, particulars at HT213345
- APPLE-SA-2022-07-20-3: macOS Huge Sur 11.6.8, particulars at HT213344
- APPLE-SA-2022-07-20-4: Safety Replace 2022-005 Catalina, particulars at HT213343
- APPLE-SA-2022-07-20-5: tvOS 15.6, particulars at HT213342
- APPLE-SA-2022-07-20-6: watchOS 8.7, particulars at HT213340
- APPLE-SA-2022-07-20-7: Safari 15.6, particulars at HT213341
As normal with Apple, the Safari browser patches are bundled into the updates for the newest macOS (Monterey), in addition to into the updates for iOS and iPad OS.
However the updates for the older variations of macOS don’t embrace Safari, so the standalone Safari replace (see HT213341 above) subsequently applies to customers of earlier macOS variations (each Huge Sur and Catalina are nonetheless formally supported), who might want to obtain and set up two updates, not only one.
An honorary zero-day
By the best way, when you’ve bought a Mac with an earlier model of macOS, don’t neglect about that second obtain for Safari, as a result of it’s vitally necessary, at the very least so far as we will see.
That’s as a result of one of many browser-related patches on this spherical of updates offers with a vulnerability in WebRTC (net real-time communications) referred to as CVE-2022-2294…
…and if that quantity sounds acquainted, it ought to, as a result of it’s the identical bug that was fastened as a zero-day by Google in Chrome (and by Microsoft in Edge) about two weeks in the past:
Intriguingly, Apple hasn’t declared any of this month’s vulnerabilities as “reported to be within the wild”, or as “zero-day bugs”, regardless of the abovementioned patch that was dubbed a zero-day gap by Google.
Whether or not that’s as a result of the bug isn’t as straightforward to use in Safari, or just because nobody has traced again any Safari-specific misbehaviour to this explicit flaw, we will’t let you know, however we’re treating it as an “honorary zero-day” vulnerability, and patching zealously because of this.
Pwn2Own gap closed
Apple has additionally apparently fastened the bug discovered by German cybersecurity researcher Manfred Paul on the current Pwn2Own competitors in Canada, again in Might 2022.
Newest podcast 🎧 Pay attention now! Firefox & Pwn2Own, Apple and an 0-day… and the arithmetic that defeated Pythagoras.https://t.co/HDrZPQzlAQ pic.twitter.com/DxgdC8VM1j
— Bare Safety (@NakedSecurity) May 20, 2022
Manfred Paul exploited Firefox with a two-stage bug that earned him $100,000 ($50,000 for every half), and bought into Safari as properly, for an additional $50,000 bounty.
Certainly, Mozilla revealed its repair for Paul’s bugs inside two days of receiving his report at Pwn2Own:
Apple, in distinction, took two months to ship its post-Pwn2Own patch:
WebKit
Impression: Processing maliciously crafted net content material could result in arbitrary code execution
Description: An out-of-bounds write challenge was addressed with improved enter validation.
CVE-2022-32792: Manfred Paul (@_manfp) working with Pattern Micro Zero Day Initiative [Pwn2Own]
Keep in mind, nonetheless, that accountable disclosure is a part of the Pwn2Own competitors, which means that anybody claiming a prize is required not solely at hand over full particulars of their exploit to the affected vendor, but additionally to maintain quiet concerning the vulnerabiity till the patch is out.
In different phrases, as laudable and thrilling as Mozilla’s two-day patch supply time could have been, Apple’s a lot slower response is nonetheless acceptable.
The dwell video streams you could have seen from Pwn2Own served to point whether or not every competitor’s assault succeeded, moderately than to disclose any details about how the assault really labored. The video shows utilized by the rivals had their backs to the digital camera, so you may see the faces of the rivals and adjudicators, however not what they have been typing or taking a look at.
Multi-stage assaults
As normal, the quite a few bugs patched by Apple in these updates embrace vulnerabilities that would, in concept, be chained collectively by decided attackers.
A bug listed with the proviso that “an app with root privileges might be able to execute arbitrary code with kernel privileges” doesn’t sound terribly worrying at first.
In spite of everything, if an attacker already has root powers, they’re just about in charge of your pc anyway.
However whenever you discover a bug elsewhere within the system that’s listed with the warning that “an app might be able to achieve root privileges”, you’ll be able to see how the latter vulnerability might be a handy and unauthorised stepping stone to the previous.
And whenever you additionally discover a picture rendering bug described as “processing a maliciously crafted file could result in arbitrary code execution”, you’ll be able to rapidly see that:
- A booby-trapped net web page may comprise a picture that launches untrusted code.
- That untrusted code may implant a low-privilege app.
- The undesirable app may purchase root powers for itself.
- The now-root app may inject its personal rogue code into the kernel.
In different phrases, theoretically at the very least, simply taking a look at an apparently harmless web site…
…may ship you tumbling right into a cascade of bother, identical to the well-known saying that goes, “For need of a nail, the shoe was misplaced; for need of a shoe, the horse was misplaced; for need of a horse, the message was misplaced; for need of a message, the battle was misplaced… all for the need of a horseshoe nail.”
What to do?
That’s why, as at all times, we suggest that you just patch early; patch usually; patch every thing.
Apple, to its credit score, makes patching every thing the default: you don’t get to decide on which patches to deploy and which to depart “for later”.
The one exception to this rule, as we famous above, is that for macOS Huge Sur and macOS Catalina, you’ll obtain the majority of the working system updates in a single big obtain, adopted by a separate download-and-update course of to put in the newest model of Safari.
As normal:
- In your iPhone or iPad: Settings > Basic > Software program Replace
- In your Mac: Apple menu > About this Mac > Software program Replace…
-xl-(1)-xl.jpg "AirPods Pro 2 and AirPods 4 receive new beta firmware")
