Security researchers are urging users of Apple Mac, iPhone, and iPad devices to immediately update to newly released versions of the operating systems for each technology, to mitigate risk from two critical vulnerabilities in them that attackers are actively exploiting.
The zero-day flaws allow threat actors to take complete control of affected devices. They impact users of iPhone 6s and later, all models of iPad Pro, iPod touch (7th generation), iPad Ai2 and later, iPad 5th generation and later, and iPad mini 4 and later. Also affected are users with Macs running macOS Monterey, macOS Big Sur, and macOS Catalina. Apple disclosed the vulnerabilities and the updates addressing them on Wednesday.
Remote Code Execution Flaws
One of the zero-days (CVE-2022-32893) exists in WebKit, Apple’s browser engine for Safari and for all iOS and iPadOS Web browsers. Apple described the flaw as tied to an out-of-bounds write issue that attackers could use to remotely take control of vulnerable devices. “Processing maliciously crafted web content may lead to arbitrary code execution,” Apple warned in one of its typically terse vulnerability disclosures this week. “Apple is aware of a report that this issue may have been actively exploited,” the company noted.
The other vulnerability (CVE-2022-32894) is also an out-of-bounds write flaw that gives attackers a way to execute code with kernel-level privileges on vulnerable devices. Such vulnerabilities allow attackers to gain complete access to the underlying hardware. The company said it is aware of reports of attackers actively exploiting the bug.
Lisa Plaggemier, executive director of the National Cybersecurity Alliance, said the widespread use of Apple’s technologies puts both businesses and consumers at risk from the vulnerabilities. “While cyber criminals will no doubt try to access personal information about consumers, accessing a business often has significantly more upside for malicious actors,” she says.
WebKit Flaw Has Wider Impact
In a blog, Sophos identified CVE-2022-32893 as having potentially the wider impact compared to the other flaw that Apple disclosed this week. The flaw gives attackers a way to set up “booby-trapped” Web pages that can trick Macs, iPhones, and iPads into running untrusted software. “Simply put, a cybercriminal could implant malware on your device even if all you did was to view an otherwise innocent web page,” the security vendor said.
The flaw has widespread impact because WebKit powers all Web rendering software on Apple’s mobile devices and is used widely by Mac users as well. The vulnerability impacts more applications and systems components than just the Safari browser itself, so steering clear of the browser alone is not enough to mitigate risk, Sophos said.
“The WebKit component is particularly problematic, as it is the browser engine across all Apple software,” says Rick Holland, chief information security officer and vice president of strategy at Digital Shadows. “Apple users should patch now. These updates need to be applied as soon as possible.”
Both Consumers & Organizations at Risk
Like many others have noted about the sparse nature of software vendor vulnerability disclosures recently, Holland too said it would have been more useful for defenders if Apple had provided more context and details around the flaws.
“Apple is light on the technical details of this week’s two zero-day vulnerabilities,” he says. “However, it is never reassuring to see the phrase ‘execute arbitrary code with kernel privileges’,” as Apple’s disclosure reads.
Defenders should push patches out immediately and send notifications that employees should be patching any personal iPhones, iPads, or Macs. These updates present a security awareness opportunity to discuss the risks to employees’ lives and provide patching instructions, including how to enable automatic updates.
Mike Parkin, senior technical engineer at Vulcan Cyber, says there’s not enough information to determine how easily attackers can exploit these vulnerabilities. But reports about the flaws being already used in the wild is concerning, he says, especially because they allow for remote code execution. Apple products are widely used both in enterprise and consumer markets, and often overlap for people who work in Bring Your Own Device (BYOD) environments, he says. Given that, and the relative lack of detail, it’s hard to say who’ll be more at risk.
“Organizations should deploy the appropriate controls to minimize the risk to their environments,” Parkin advocates. “The ones that allow BYOD devices will face some additional challenges, as they’ll need to address systems that they don’t directly control.”