Apple Patches Double Day Zero in Browser and Kernel – Update Now! – Bare Security
Apple just released an emergency update for two zero-day bugs that are apparently actively exploited.
There is a Remote Code Execution (RCE) hole dubbed CVE-2022-32893 in Apple’s HTML rendering software (WebKit), through which a booby-trapped webpage can trick iPhones, iPads, and Macs into running unauthorized and untrusted software code.
Simply put, a cybercriminal could plant malware on your device even if you were just viewing an otherwise innocent web page.
Remember that WebKit is the part of Apple’s browser engine that sits under absolutely all web rendering software on Apple’s mobile devices.
But on iOS and iPadOS, Apple’s App Store policies insist that any software that offers any kind of web browsing functionality must be based on WebKitincluding browsers such as Chrome, Firefox, and Edge that don’t rely on Apple’s browser code on any other platform you might use them on.
Also, all Mac and iDevice apps with pop-ups like To help Where About Screens use HTML as their “display language” – a programming convenience that’s understandably popular with developers.
Apps that do this almost certainly use Apple’s. Web View system functions, and WebView is based directly on WebKitit is therefore affected by all WebKit vulnerabilities.
The CVE-2022-32893 The vulnerability therefore potentially affects many more applications and system components than Apple’s Safari browser alone, so simply avoiding Safari cannot be considered a workaround, even on Macs where browsers do not. WebKit are allowed.
Then there’s a second zero day
There is also a kernel code execution hole called CVE-2022-32894whereby an attacker who has already gained a foothold on your Apple device by exploiting the aforementioned WebKit bug…
…could shift from controlling a single app on your device to supporting the operating system’s kernel itself, acquiring the kind of “administrative superpowers” normally reserved for Apple itself.
This almost certainly means the attacker could:
- Spy on all running apps
- Download and start additional apps without going through the App Store
- Access almost all data on the device
- Change system security settings
- Retrieve your location
- Take screenshots
- Use device cameras
- Activate the microphone
- Copy text messages
- Follow your navigation…
…and much more.
Apple hasn’t said how these bugs were found (other than to credit “an anonymous researcher”), did not say where in the world they were mined, and did not say who uses them or for what purpose.
Basically, however, a working RCE WebKit followed by a working kernel exploit, as seen here, usually provides all the functionality needed to mount device jailbreak (thus deliberately circumventing almost all security restrictions imposed by Apple), or for install spyware in the background and keep you under complete surveillance.
What to do?
Patch right away!
At the time of writing, Apple has released advisories for iPad OS 15 and iOS 15, both of which are getting updated version numbers from 15.6.1and for macOS Monterey 12, which gets an updated version number from 12.5.1.
Older supported versions of macOS (Big Sur and Catalina) have not yet received kernel-level patches, so the operating systems themselves have not been updated.
But there is a standalone Safari update, which takes you to Safari 15.6.1which you need to get if you are still using macOS 10 Big Sur or macOS 11 Catalina.
- On your iPhone or iPad: Settings > General > Software update
- On your Mac: apple menu > About This Mac > Software update…
There is also an update that brings watchOS to version 8.7.1but this update does not list any CVE numbers and does not contain a security advisory of its own.
It is not yet known whether tvOS is immune or vulnerable but has not yet been patched.
For more information, watch this space and keep an eye on the official portal page for Apple’s Security Bulletin, HT201222.