Apple has released security updates for iOS, iPadOS, and macOS Ventura to patch two remote code execution (RCE) vulnerabilities that were discovered by Google Project Zero researchers. Remote code execution bugs allow attackers to push malicious code into affected devices over a network or the Internet.
Mitigation
The necessary updates for these vulnerabilities were included in the November 9 update for macOS Ventura 13.0.1, and the November 9 update for iOS 16.1.1 and iPadOS 16.1.1. The last update is available for iPhone 8 and later, all models of the iPad Pro, 3rd generation and later versions of the iPad Air, 5th generation iPads and up, and 5th generation iPad minis and up.
These should all have reached you in your regular update routines, but it doesn’t hurt to check if your device is at the latest update level:
There are no indications that these vulnerabilities are actively being exploited, but equally, no good reason to avoid updating.
The vulnerabilities
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs patched in this update:
CVE-2022-40303, is an integer overflow vulnerability in libxml2. A remote user may be able to cause unexpected app termination or arbitrary code execution. The vulnerability was addressed through improved input validation.
CVE-2022-40304 is another issue in libxml2. A remote user may be able to cause unexpected app termination or arbitrary code execution. The vulnerability was addressed through improved checks.
Libxml2
After reading the description of the vulnerabilities, you may be left wondering what libxml2 is. The libxml2 package contains libraries and utilities used for parsing XML files. The package is highly portable and widely used in other environments. It was originally developed for the GNOME project, but can be used outside it.
At this moment it is unclear whether the vulnerabilities are in the libxml2 package itself or in the way Apple uses them. But we will keep you posted here if and when we find out more.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
