Patch now! Apple fixes in-the-wild iPhone vulnerabilities

Update now! Apple fixes several serious vulnerabilities in iOS and macOS

Apple has released patches for macOS Monterey 12.3, iOS 15.4 and iPadOS 15.4. In these security updates, released on March 14, 2022, Apple tackles 39 vulnerabilities, several of which could allow an attacker to execute arbitrary code on an affected device.

One of the vulnerabilities can be exploited by having the victim open a crafted PDF file, and a few just require the victim to visit an specially crafted website.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that jumped out at us.

Accelerate Framework

CVE-2022-22633

Opening a maliciously crafted PDF file can lead to arbitrary code execution. The vulnerability exists due to a boundary error when processing PDF files within Accelerate Framework. The vulnerability was caused by a memory corruption issue, that was addressed with improved state management.

An attacker would need to trick the victim into opening their PDF file. Anything that can be triggered just by a victim opening a file that can be sent as an attachment is of great value to cybercriminals. In a “spray and pray” attack there is a reasonable chance of success. This might also be useful to attackers performing a targeted attack on an individual.

AppleAVD

CVE-2022-22666

Processing a maliciously crafted image may lead to heap corruption. AppleAVD is a decoder that handles certain media files. The vulnerability exists due to a memory corruption issue, that was addressed with improved validation. Heap corruption occurs when a program modifies the contents of a memory location outside of the memory allocated to the program. The outcome can be relatively benign and cause a memory leak, or it may be fatal and cause a memory fault, usually in the program that causes the corruption.

AVEVideoEncoder

The AVEVideoEncoder is a component that is used when creating video files. This round there were three vulnerabilities fixed in this component.

CVE-2022-22634

A malicious application may be able to execute arbitrary code with kernel privileges. The vulnerability exists due to a buffer overflow, that was addressed with improved bounds checking. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region.

CVE-2022-22635

An application may be able to gain elevated privileges. The vulnerability exists due to an out-of-bounds write issue, that was addressed with improved bounds checking. If a flaw in a program allows it to read or write outside of the bounds set for the program, it is possible to manipulate other parts of the memory which are allocated to more critical functions. This can allow an attacker to write code to a part of the memory where it will be executed with permissions that the program and user should not have.

CVE-2022-22636

An application may be able to execute arbitrary code with kernel privileges. Another out-of-bounds write issue, that was addressed with improved bounds checking.

GPU Drivers

CVE-2022-22667

An application may be able to execute arbitrary code with kernel privileges. This vulnerability exists due to a use after free issue, that was addressed with improved memory management. An attacker would need authenticated access to exploit this vulnerability. Use after free (UAF) is a vulnerability due to incorrect use of dynamic memory during a program’s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

ImageIO

The Image I/O framework allows applications to read and write most image file formats. Two vulnerabilities were fixed during this round.

CVE-2022-22611

Processing a maliciously crafted image may lead to arbitrary code execution. This vulnerability exists due to an out-of-bounds read, that was addressed with improved input validation. An out-of-bounds read means that the software reads data past the end, or before the beginning, of the intended buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash. But it can also allow an attacker to run any commands or code in the target process.

CVE-2022-22612

Processing a maliciously crafted image may lead to heap corruption. This vulnerability exists due to a memory consumption issue, that was addressed with improved memory handling. The heap is the name for a region of a process’ memory which is used to store dynamic variables.

The usuaul suspects

Besides these specific CVEs there were vulnerabilities found in what we would call the usual suspects. The kernel and WebKit are both very important components of Apple’s operating systems. Not only because everyone uses them, but also because they are attractive targets for attackers.

Kernel

The kernel is a core component of any operating system and serves as the main interface between the computer’s physical hardware and the processes running on it. As such, the kernel is responsible for low-level tasks such as disk management, memory management, task management, etc.

Seven vulnerabilities were fixed during this round. Most of them cause an application to be able to execute arbitrary code with kernel privileges. Something you really don’t want to happen. Running arbitrary code with kernel privileges means that an attacker basically owns your system.

WebKit

WebKit is the browser engine that powers Safari on Macs as well as all browsers on iOS and iPadOS (browsers on iOS and iPadOS are obliged to use it). It is also the web browser engine used by Mail, App Store, and many other apps on macOS, iOS, and Linux. Six vulnerabilities in WebKit were fixed this round. Most of them have the worrying description of processing maliciously crafted web content may lead to arbitrary code execution. What that means is that all an attacker has to do is lure a victim to their malicious site.

As far as we are aware none of these vulnerabilities are used in the wild, which doesn’t mean that they won’t be in the future. So, our advice, as always, is to get the updates at your earliest convenience.

Stay safe, everyone!

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.