Apple has disgorged its newest patches, fixing greater than 50 CVE-numbered safety vulnerabilities in its vary of supported merchandise.
The related safety bulletins, replace numbers, and the place to seek out them on-line are as follows:
- APPLE-SA-2022-07-20-1: iOS 15.6 and iPadOS 15.6, particulars at HT213346
- APPLE-SA-2022-07-20-2: macOS Monterey 12.5, particulars at HT213345
- APPLE-SA-2022-07-20-3: macOS Large Sur 11.6.8, particulars at HT213344
- APPLE-SA-2022-07-20-4: Safety Replace 2022-005 Catalina, particulars at HT213343
- APPLE-SA-2022-07-20-5: tvOS 15.6, particulars at HT213342
- APPLE-SA-2022-07-20-6: watchOS 8.7, particulars at HT213340
- APPLE-SA-2022-07-20-7: Safari 15.6, particulars at HT213341
As traditional with Apple, the Safari browser patches are bundled into the updates for the newest macOS (Monterey), in addition to into the updates for iOS and iPad OS.
However the updates for the older variations of macOS don’t embrace Safari, so the standalone Safari replace (see HT213341 above) subsequently applies to customers of earlier macOS variations (each Large Sur and Catalina are nonetheless formally supported), who might want to obtain and set up two updates, not only one.
An honorary zero-day
By the way in which, if you happen to’ve received a Mac with an earlier model of macOS, don’t overlook about that second obtain for Safari, as a result of it’s vitally vital, at the very least so far as we will see.
That’s as a result of one of many browser-related patches on this spherical of updates offers with a vulnerability in WebRTC (internet real-time communications) generally known as CVE-2022-2294…
…and if that quantity sounds acquainted, it ought to, as a result of it’s the identical bug that was fastened as a zero-day by Google in Chrome (and by Microsoft in Edge) about two weeks in the past:
Intriguingly, Apple hasn’t declared any of this month’s vulnerabilities as “reported to be within the wild”, or as “zero-day bugs”, regardless of the abovementioned patch that was dubbed a zero-day gap by Google.
Whether or not that’s as a result of the bug isn’t as straightforward to take advantage of in Safari, or just because nobody has traced again any Safari-specific misbehaviour to this specific flaw, we will’t let you know, however we’re treating it as an “honorary zero-day” vulnerability, and patching zealously in consequence.
Pwn2Own gap closed
Apple has additionally apparently fastened the bug discovered by German cybersecurity researcher Manfred Paul on the current Pwn2Own competitors in Canada, again in Could 2022.
Newest podcast 🎧 Pay attention now! Firefox & Pwn2Own, Apple and an 0-day… and the arithmetic that defeated Pythagoras.https://t.co/HDrZPQzlAQ pic.twitter.com/DxgdC8VM1j
— Bare Safety (@NakedSecurity) Could 20, 2022
Manfred Paul exploited Firefox with a two-stage bug that earned him $100,000 ($50,000 for every half), and received into Safari as effectively, for an extra $50,000 bounty.
Certainly, Mozilla revealed its repair for Paul’s bugs inside two days of receiving his report at Pwn2Own:
Apple, in distinction, took two months to ship its post-Pwn2Own patch:
WebKit
Influence: Processing maliciously crafted internet content material could result in arbitrary code execution
Description: An out-of-bounds write subject was addressed with improved enter validation.
CVE-2022-32792: Manfred Paul (@_manfp) working with Pattern Micro Zero Day Initiative [Pwn2Own]
Bear in mind, nevertheless, that accountable disclosure is a part of the Pwn2Own competitors, that means that anybody claiming a prize is required not solely at hand over full particulars of their exploit to the affected vendor, but in addition to maintain quiet concerning the vulnerabiity till the patch is out.
In different phrases, as laudable and thrilling as Mozilla’s two-day patch supply time could have been, Apple’s a lot slower response is nonetheless acceptable.
The reside video streams you’ll have seen from Pwn2Own served to point whether or not every competitor’s assault succeeded, relatively than to disclose any details about how the assault truly labored. The video shows utilized by the opponents had their backs to the digital camera, so you can see the faces of the opponents and adjudicators, however not what they had been typing or taking a look at.
Multi-stage assaults
As traditional, the quite a few bugs patched by Apple in these updates embrace vulnerabilities that would, in principle, be chained collectively by decided attackers.
A bug listed with the proviso that “an app with root privileges could possibly execute arbitrary code with kernel privileges” doesn’t sound terribly worrying at first.
In spite of everything, if an attacker already has root powers, they’re just about in command of your pc anyway.
However if you discover a bug elsewhere within the system that’s listed with the warning that “an app could possibly acquire root privileges”, you possibly can see how the latter vulnerability could possibly be a handy and unauthorised stepping stone to the previous.
And if you additionally discover a picture rendering bug described as “processing a maliciously crafted file could result in arbitrary code execution”, you possibly can rapidly see that:
- A booby-trapped internet web page might include a picture that launches untrusted code.
- That untrusted code might implant a low-privilege app.
- The undesirable app might purchase root powers for itself.
- The now-root app might inject its personal rogue code into the kernel.
In different phrases, theoretically at the very least, simply taking a look at an apparently harmless web site…
…might ship you tumbling right into a cascade of bother, similar to the well-known saying that goes, “For need of a nail, the shoe was misplaced; for need of a shoe, the horse was misplaced; for need of a horse, the message was misplaced; for need of a message, the battle was misplaced… all for the need of a horseshoe nail.”
What to do?
That’s why, as all the time, we advocate that you simply patch early; patch usually; patch every part.
Apple, to its credit score, makes patching every part the default: you don’t get to decide on which patches to deploy and which to depart “for later”.
The one exception to this rule, as we famous above, is that for macOS Large Sur and macOS Catalina, you’ll obtain the majority of the working system updates in a single large obtain, adopted by a separate download-and-update course of to put in the newest model of Safari.
As traditional:
- In your iPhone or iPad: Settings > Normal > Software program Replace
- In your Mac: Apple menu > About this Mac > Software program Replace…
