June 27, 2022

TheCyberThrone

Thinking Security ! Always

Apple Security Updates May 2022

Apple’s latest security updates have arrived for still supported flavours of macOS (Monterey, Big Sur and Catalina), as well as all current mobile devices (iPhones, iPads, Apple TVs and Apple Watches), get patches.Also , Xcode development system get an update too.

Update to iOS 15.5 and iPadOS 15.5.

The bug fixes for iPhones and iPads include RCE flaws in components from the kernel itself to Apple’s image rendering library, graphics drivers, video processing modules and more. The security hole that could lead to a complete device takeover that known as jailbreaking apple devices. Kernel level bugs could, provide an attacker access to the device completely.

  • A flaw that could allow rogue apps to evade their sandbox restrictions.
  • A Safari bug that could allow you to be tracked even in Private Mode;
  • A hole in the Security subsystem that provides a way for sneakily modified apps to bypass the digital signature check by which the operating system is supposed to verify that they haven’t been tampered with.
  • A lock screen bug, whereby someone who picks up your iPhone while you’re not looking or who steals it, of course could access your photos without knowing the unlock code.
Advertisements

Update to macOS Monterey 12.4.

The above mentioned updates are also applicable to macOS. There are several other bugs that apply only to macOS, notably in laptop/desktop components such as AppleScript, a powerful system automation tool that allows you to launch and control apps, including entering keystrokes, clicking the mouse, configuring devices such as your microphone and webcam, and snapping screenshots.

There’s also a patch for CVE-2022-0778, a cryptographic bug in OpenSSL that was patched by the OpenSSL team earlier this year.

Update to macOS Big Sur 11.6.6.

Apple previous version of macOS, Big Sur, includes patches for many of the same bugs as Monterey, with the notable addition of a video decoding bug that gives remote attackers a way to acquire kernel-level powers, presumably via booby-trapped files.This bug, CVE-2022-22675 is a zero-day that exploited in wild.

Update to tvOS 15.5.

Like Big Sur, the latest tvOS update fixes CVE-2022-22675, the in-the-wild kernel-level RCE bug described above.

Update to watchOS 8.6.

Despite the significantly different version number from tvOS (8.6 instead of 15.5), Apple Watch users also get a patch for the zero-day video decoding bug CVE-2022-22675.

Security Update for 2022-004 Catalina

Catalina, the pre-previous version of macOS, and its oldest currently supported flavour, gets many of the same patches as Big Sur. CVE-2022-22675, the zero-day hole that was fixed in Big Sur, tvOS and watchOS, doesn’t seem to be present in this flavour.

Advertisements

Update to Safari 15.5.

This update fixes two RCE flaws that could be triggered, given that the bug is in WebKit, the web rendering engine, rather than one of Apple’s multimedia libraries, we’re guessing the bug relates to the handling of web-specific data such as HTML, CSS or JavaScript.

Update to Xcode 13.4.

Programmers should get this update, especialy if they use the popular source code management system Git.

According to the report on CVE-2022-24765, “on multi-user machines Git users might find themselves unexpectedly in a Git worktree.” This sounds like an authentication bypass of sorts, as though while logged in as user X you might suddenly get access to source code belonging to user Y or to project Z that belongs to others.

%d bloggers like this: