patching apple

Update now! Apple patches another actively used zero-day

Apple has released patches for iOS 15.3, iPadOS 15.3, and macOS Monterey 12.2 and is urging users to update. The most significant reasons are two actively exploited zero-day vulnerabilities, one of which has a publicly disclosed Proof-of-Concept (PoC).

Using this vulnerability, designated CVE-2022-22587, a malicious app could execute random code with kernel privileges.

Why did it take so long

The zero-day appears to have been found and reported by at least two researchers independently of each other. Apple acknowledged an anonymous researcher, Meysam Firouzi (@R00tkitSMM) of MBition – Mercedes-Benz Innovation Lab, and Siddharth Aeri (@b1n4r1b01) for having reported this flaw.

The two researchers both stated that it took a long time for this bug to be acknowledged and fixed. One of them posted a Proof-of-Concept (PoC) on January 1st.

The other researcher reported the issue through the Zero-Day-Initiative (ZDI) three months ago, waited for two months and then decided to report to Apple directly.

https://twitter.com/R00tkitSMM/status/1486477431431065601

The Zero Day Initiative (ZDI) was created to encourage the reporting of zero-day vulnerabilities privately to the affected vendors by financially rewarding researchers, although there has been some complaints from researchers that they didn’t feel they were taken seriously by the ZDI.

IOMobileFrameBuffer

CVE-2022-22587 is a memory corruption bug in the IOMobileFrameBuffer that affects iOS, iPadOS, and macOS Monterey. IOMobileFrameBuffer is a kernel extension for managing the screen FrameBuffer. An earlier vulnerability in this extension, listed as CVE-2021-30807, was tied to the Pegasus spyware. Another one was listed as CVE-2021-30883 and also allowed an application to execute arbitrary code with kernel privileges. We hope that the input validation has now been curated to makes this impossible in the future.

Actively exploited

Apple acknowledged that it was aware of a report that this issue may have been actively exploited.

Safari Webkit bug

The second zero-day is the Safari WebKit bug in iOS and iPadOS that allowed websites to track your browsing activity and users’ identities in real-time. After a researcher of FingerprintJS disclosed the bug in November, it was assigned the CVE-2022-22594 and has been fixed.

Updates

iOS 15.3 and iPadOS 15.3 fixes a total of ten security bugs. The updates are available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

macOS Monterey 12.2 patches a total of 13 vulnerabilities in total. The latter also promises to bring smoother scrolling to MacBooks, fixing a previously reported scrolling issue in Safari.

Apple also released security fixes for legacy versions of macOS Big Sur and Catalina.

Stay safe, everyone!

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.