Apple patches a zero-day hole – even in the brand new iOS 16

We’ve been waiting for iOS 16, given Apple’s recent Event at which the iPhone 14 and other upgraded hardware products were launched to the public.

This morning, we did a Settings > General > Software Update, just in case…

…but nothing showed up.

But some time shortly before 8pm tonight UK time [2022-09-12T18:31Z], a raft of update notifications dropped into our inbox, announcing a curious mix of new and updated Apple products.

Even before we read through the bulletins, we tried Settings > General > Software Update again, and this time we were offered an upgrade to iOS 15.7, with an alternative upgrade that would take us straight to iOS 16:

An update and an upgrade available at the same time!

(We went for the upgrade to iOS 16 – the download was just under 3GB, but once downloaded the process went faster than we expected, and everything thus far seems to be working just fine.)

Be sure to update even if you don’t upgrade

Just to be clear, if you don’t want to upgrade to iOS 16 just yet, you still need to update, because the iOS 15.7 and iPadOS 15.7 updates include numerous security patches, including a fix for a bug dubbed CVE-2022-32917.

The bug, the discovery of which is credited simply to “an anonymous researcher”, is described as follows:

[Bug patched in:] Kernel Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited. Description: The issue was addressed with improved bounds checks.

As we pointed out when Apple’s last emergency zero-day patches came out, a kernel code execution bug means that even innocent-looking apps (perhaps including apps that made it into the App Store because they raised no obvious red flags when examined) could burst free from Apple’s app-by-app security lockdown…

…and potentially take over the entire device, including grabbing the right to perform system operations such as using the camera or cameras, activating the microphone, acquiring location data, taking screenshots, snooping on network traffic before it gets encrypted (or after it’s been decrypted), accessing files belonging to other apps, and much more.

If, indeed, this “issue” (or security hole as you might prefer to call it) has been actively exploited in the wild, it’s reasonable to infer that there are apps out there that unsuspecting users have already installed, from what they thought was a trusted source, even though those apps contained code to activate and abuse this vulnerability.

Intriguingly, macOS 11 (Big Sur) gets its own update to macOS 11.7, which patches a second zero-day hole dubbed CVE-2022-32894, described in exactly the same words as the iOS zero-day bulletin quoted above.

However, CVE-2022-32894 is listed as a Big Sur bug only, with the more recent operating system versions macOS 12 (Monterey), iOS 15, iPadOS 15 and iOS 16 apparently unaffected.

Remember that a security hole that was only fixed after the Bad Guys had already figured out how to exploit it is known as a zero-day because there were zero days during which even the keenest user or sysadmin could have patched against it proactively.

The full story

The updates announced in this round of bulletins include the following.

We’ve listed them below in the order they arrived by email (reverse numeric order) so that iOS 16 appears at the bottom:

  • APPLE-SA-2022-09-12-5: Safari 16. This update applies to macOS Big Sur (version 11) and Monterey (version 12). No Safari update is listed for macOS 10 (Catalina). Two of the bugs fixed could lead to remote code execution, meaning that a booby-trapped website could implant malware on your computer (which could subsequently abuse CVE-2022-32917 to take over at kernel level), although neither of these bugs are listed as being zero-days. (See HT213442.)
  • APPLE-SA-2022-09-12-4: macOS Monterey 12.6 This update can be considered urgent, given that it includes a fix for CVE-2022-32917. (See HT213444.)
  • APPLE-SA-2022-09-12-3: macOS Big Sur 11.7 A similar tranche of patches to those listed above for macOS Monterey, including the CVE-2022-32917 zero-day. This Big Sur update also patches CVE-2022-32894, the second kernel zero day described above. (See HT213443.)
  • APPLE-SA-2022-09-12-2: iOS 15.7 and iPadOS 15.7 As stated at the start of the article, these updates patch CVE-2022-32917. (See HT213445.)
  • APPLE-SA-2022-09-12-1: iOS 16 The big one! As well as a bunch of new features, this includes the Safari patches delivered separately for macOS (see the top of this list), and a fix for CVE-2022-32917. Intriguingly, the iOS 16 upgrade bulletin advises that “[a]dditional CVE entries [are] to be added soon”, but doesn’t denote CVE-2022-23917 as a zero-day. Whether that’s because iOS 16 wasn’t yet officially considered “in the wild” itself, or because the known exploit doesn’t yet work on an unpatched iOS 16 Beta, we can’t tell you. But the bug does indeed seem to have been carried forward from iOS 15 into the iOS 16 codebase. (See HT213446.)

What to do?

As always, Patch Early, Patch Often.

A full-blown upgrade from iOS 15 to iOS 16.0, as it reports itself after installation, will patch the known bugs in iOS 15. (We’ve not yet seen an announcement for iPadOS 16.)

If you’re not ready for the upgrade yet, be sure to upgrade to iOS 15.7, because of the zero-day kernel hole.

On iPads, for which iOS 16 isn’t yet mentioned, grab iPadOS 15.7 right now – don’t hang back waiting for iPadOS 16 to come out, given that you’d be leaving yourself needlessly exposed to a known exploitable kernel flaw.

On Macs, Monterey and Big Sur get a double-update, one to patch Safari, which becomes Safari 16, and one for the operating system itself, which will take you to macOS 11.7 (Big Sur) or macOS 12.6 (Monterey).

No patch for iOS 12 this time, and no mention of macOS 10 (Catalina) – whether Catalina is now no longer supported, or simply too old to include any of these bugs, we can’t tell you.

Watch this space for any CVE updates!


go top