Apple on Wednesday released 13 patches for serious security bugs in macOS and 10 for flaws in iOS/iPadOS. They include fixes for two zero-day bugs, one of which may have been exploited by attackers in the wild.
The first zero-day (CVE-2022-22587) is a memory-corruption issue that could be exploited by a malicious app to execute arbitrary code with kernel privileges. The bug specifically exists in the IOMobileFrameBuffer – a kernel extension that allows developers to control how a device’s memory handles the screen display, aka a framebuffer. It affects iOS, iPadOS and macOS Monterey, and Apple addressed it with improved input validation.
Apple also said it’s aware of a report that indicates it may have been actively exploited in the wild.
The update is available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
Data-Exposing Apple Safari Bug Squashed
Also out is a fix for a second zero day: a widely published WebKit flaw in the pervasive Safari browser that’s tracked as CVE-2022-22594. The information-disclosure issue affects browsers for macOS, iOS and iPadOS. Disclosed by FingerprintJS researchers last week, it allows a snooping website to find out information about other tabs a user might have open.
That bug is a cross-origin policy violation in the IndexDB API – a JavaScript API provided by web browsers to manage a NoSQL database of JSON objects –that Apple also addressed with improved input validation.
Typically, a web browser permits scripts on one web page to access data on a second web page only if both pages have the same origin/back-end server. Without this security policy in place, a snooper who manages to inject a malicious script into one website would be able to have free access to any data contained in other tabs the victim may have open in the browser, including access to online banking sessions, emails, healthcare portal data and other sensitive information.
John Bambenek, principal threat hunter for Netenrich, told Threatpost on Wednesday that zero-days like these two – ones that can allow remote-code execution (RCE) on mobile devices – are “among the most dangerous there are.”
Think mobile spyware, think Pegasus, think nation-state espionage.
“Often, these types of bugs are used … with significant ill intent or by governments engaged in human-rights abuses,” Bambenek said via email. “Unfortunately, we will likely see more of these bugs as the year goes on.”
The patches are available in the macOS Monterey 12.2 and the iOS/iPadOS 15.3 updates. iOS 15.3 also brought fixes for security issues that could lead to apps gaining root privileges, the ability to execute arbitrary code with kernel privileges, and the ability for apps to get at user files through iCloud.
Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.