Apple Issues Emergency iOS Fix as Kernel Zero-Day ExploitedImmediate Updating Recommended as Any App in iOS and iPad Is Exploitable
Apple has issued a slew of security updates amid reports that its iOS devices are being actively exploited via a zero-day vulnerability in the kernel.
Because of the out-of-bound write flaw, designated CVE-2022-42827, any iOS application "may be able to execute arbitrary code with kernel privileges," it warns in a security bulletin.
While Apple says that it "is aware of a report that this issue may have been actively exploited," it hasn't attributed such exploits to any specific cybercrime or nation-state group.
Out-of-bounds writing refers to writing data before the beginning or after the end of a buffer. "Typically, this can result in corruption of data, a crash or code execution," Mitre's Common Weakness Enumeration website warns.
"Given the high price that working iPhone zero-days command in the 'cyberunderworld,' we assume that whoever is in in possession of this exploit knows how to make it work effectively and is unlikely to draw attention to it themselves, in order to keep existing victims in the dark as much as possible," Paul Ducklin, a security researcher at Sophos, says in a blog post.
Fixes for the kernel-level flaw that can be exploited via any app on a device, as well as patches for two other similar kernel-level flaws, are contained in software updates released Monday:
- iOS version 16.1, which follows version 16 - released Sept. 12 - and includes fixes for 20 flaws;
- iPadOS version 16, which supplants version 15.7 - released in September 2021 - with the delay reportedly tied to its new Stage Manager feature, which allows for multitasking between devices;
- macOS 13 Ventura, which follows the October 2021 release of macOS 12.6 Monterey, and includes fixes for more than 100 flaws.
The view from security experts: Update as quickly as possible. "In short, iPhones and iPads needs patching right away because of a kernel zero-day," since it's being actively exploited, Ducklin says.
The updates also fix a number of other vulnerabilities, including in the open-source web browser engine WebKit that gets used across iOS and Mac devices. Whenever a WebKit flaw arises, security experts recommend immediate patching.
The iOS and iPad updates are available for all currently supported devices: iPhone 8 and later, iPad Pro - all models, iPad Air 3rd-generation and later, iPad 5th-generation and later and iPad mini 5th-generation and later.
Surveillance Spyware Concerns
Prior zero-day flaws in iOS have been discovered or purchased by the likes of Israel's NSO Group, which develops Pegasus spyware, which it says it sells to approved law enforcement and government agencies. The company and its peer, Candiru, have faced longstanding criticism that they supply the software to oppressive regimes. Late last year, the U.S. government added both firms to the Department of Commerce blacklist of companies subject to technology export licensing requirements (see: Tech Alone Won't Defeat Advanced Spyware, US Congress Told).
With the release of iOS 16 last month, Apple included a new Lockdown Mode, described as "an optional, extreme protection that’s designed for the very few individuals who, because of who they are or what they do, may be personally targeted by some of the most sophisticated digital threats," it says.
"Most people will never be targeted by attacks of this nature," Apple says.