Apple has just sent out two security advisories covering two zero-day security holes, namely:
- Apple Bulletin HT213219: Kernel code execution bug CVE-2022-22675. This update is for iOS and iPadOS, both of which go to version 15.4.1.
- Apple Bulletin HT213220: Kernel code execution bug CVE-2022-22675 and kernel data leakage bug CVE-2022-22674. This update is for macOS Monterey, which goes to version 12.3.1.
No earlier versions of iOS, iPadOS or macOS seem to be affected by these bugs – or, more precisely, no updates for older versions have been published yet.
Apple, as ever, isn’t saying anything about the platforms that didn’t get updates, so it’s impossible to say whether they’re immune and thus unaffected, affected but simply being ignored, or affected and still awaiting updates that will show up in a few days. (The last of these does happen from time to time.)
Intriguingly, Apple’s core Security Updates page at HT201222 reports that there are updates denoted tvOS 15.4.1 and watchOS 8.5.1, but Apple merely remarks that these updates have “no published CVE entries”.
There’s no detail about what types of security flaw, if any, were addressed in the Apple Watch and Apple TV patches, so we can’t tell you whether these updates have any common ground with the zero-day fixes for Apple’s phones, tablets, laptops and desktop computers.
Jailbreaking and spyware a possibility
Ominously, given the world’s collective fear of cyberattacks and global hacking right now, each of the CVE-numbered bugs mentioned above is accompanied by Apple’s vague-as-usual wording that says, “Apple is aware of a report that this issue may have been actively exploited.”
In one word, that means: Zero-day!
A zero-day, of course, is a security hole that the Bad Guys not only found first, but also figured out how to exploit before any patches were available. (In oither words, there were zero days you could have been patched even if you were the world’s most proactive patcher.)
Also, as we’ve pointed out before, kernel code execution flaws – where an unauthorised app or chunk of injected code doesn’t just take over a single application, but potentially gets unsandboxed access to the entire running system – are the most broadly dangerous sort of bug on iPhones and iPads.
Apple’s mobile devices are locked down much more tightly by default than computers running macOS, and while you can increase security on macOS, you aren’t supposed to be able to reduce security on iOS and iPadOS to bypass those default restrictions.
So, malware that gets unauthorised access to a single iPhone or iPad app might be able to run off with important personal data specific to that app – all your photos, perhaps, or your text message history – but isn’t supposed to be able to mess with any other apps or data on the device.
But malware with kernel control pretty much has access-all-areas privileges, meaning that it could be used for a total jailbreak (the jargon term for bypassing Apple’s strict security controls).
Likewise, kernel code execution bugs could be used for general-purpose spyware that could peek into, and perhaps even manipulate, all aspects of your digital life, including location data, IMs and text messages, emails, browsing history, contacts, phone records, photos, and much more.
What to do?
Patch early, patch often!
Most Apple users go for automatic updating, but that doesn’t mean you automatically get the update right away.
Apple understandably spreads out the delivery of its updates to prevent every Apple device in the world trying to update at exactly the same moment, which would clog up the process and slow things down, on average, for everyone.
So, even if you have automatic updating turned on, check for yourself anyway, and jump to the head of the queue if you haven’t received the update yet!
Here’s how to check your update stats, and get the updates right away if you don’t have them already:
- On your iPhone or iPad: Settings > General > Software Update
- On your Mac: Apple menu > About this Mac > Software Update…
Take care out there!