The updates are available for the following devices and operating systems -

• iOS 18.1.1 and iPadOS 18.1.1 - iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later

• iOS 17.7.2 and iPadOS 17.7.2 - iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

• macOS Sequoia 15.1.1 - Macs running macOS Sequoia

• visionOS 2.1.1 - Apple Vision Pro

• Safari 18.1.1 - Macs running macOS Ventura and macOS Sonoma

CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted. This is not a security incident or cyberattack. The issue has been identified, isolated and a fix has been deployed. We refer customers to the support portal for the latest updates and will continue to provide complete and continuous updates on our website. We further recommend organizations ensure they’re communicating with CrowdStrike representatives through official channels. Our team is fully mobilized to ensure the security and stability of CrowdStrike customers.

Banks, airports, TV stations, health care organizations, hotels, and countless other businesses are all facing widespread IT outages, leaving flights grounded and causing widespread disruption, after Windows machines have displayed errors worldwide.

In the early hours of Friday, companies in Australia running Microsoft’s Windows operating system started reporting devices showing Blue Screens of Death (BSODs). Shortly after, reports of disruptions started flooding in from around the world, including from the UK, India, Germany, the Netherlands, and the US: TV station Sky News went offline, and US airlines United, Delta, and American Airlines issued a “global ground stop” on all flights.

Engineers from CrowdStrike posted to the company’s Reddit forum that it has seen “widespread reports of BSODs on Windows hosts” occurring across its software, is working on the problem, and has advised a workaround for impacted systems. It also issued instructions to its customers in an advisory.

Microsoft said it is aware of the issue affecting machines running Windows, and noted it is affecting systems running CrowdStrike’s Falcon security software.

The outage has been blamed on a software update by cybersecurity firm CrowdStrike, which has resulted in many Windows systems experiencing the dreaded “Blue Screen of Death” (BSOD) while booting.

The underlying issue causing outages for Microsoft’s 365 apps and services—including Outlook, Teams and Office—has been fixed, the company said, though a “residual impact” is continuing to affect some services.

CrowdStrike President and chief executive George Kurtz said the company was “actively working” with customers impacted by an issue found in a content update on Windows computers, adding the “issue has been identified, isolated and a fix has been deployed.”

The U.S. Emergency Alerts System said 911 lines in multiple states were down.

According to the Federal Aviation Administration, nearly all major American carriers—including Delta, American and United—have been forced to temporarily ground all their flights due to the outage, while carriers and airports including Air India, KLM, Hong Kong International Airport, Berlin Brandenburg Airport and London Stansted also reported disruptions, forcing some of them to rely on manual check-ins with long queues being reported.

The London Stock Exchange group said its workspace platform was also facing an outage preventing it from publishing statements while banks and payment terminals in Australia were also affected, though the New York Stock Exchange reportedly said its systems were unaffected.

Office 365 Resolved. Previously:

Title: Users may be unable to access various Microsoft 365 apps and services

User impact: Users may be unable to access various Microsoft 365 apps and services.

More info: Impact included but was not limited to the following apps and services:

- OneDrive for Consumer: Users may have been unable to access OneDrive for Business content.

- OneNote: Users may have been unable to sync content, experienced delays syncing notebooks, or may have been unable to open notebooks.

Final status: We've confirmed that impact has been resolved following our mitigation efforts.

Start time: Thursday, July 18, 2024, at 10:59 PM UTC

End time: Friday, July 19, 2024, at 4:21 AM UTC

Title: Users may be unable to access various Microsoft 365 apps and services

User impact: Users may be unable to access various Microsoft 365 apps and services.

More info: Impact includes but is not limited to the following apps and services:

- OneDrive for Consumer: Users may be unable to access OneDrive for Business content.

- OneNote: Users may be unable to sync content, have delays syncing notebooks, or may be unable to open notebooks.

Current status: We still expect that users will continue to see gradual relief as we continue to mitigate the issue. The latest information on impacted and recovered services will be provided within the "More info" section of this communication. Additionally, we are shifting our focus to developing a mitigation that will help determine and resolve the underlying source of the problem.

Next update by: Friday, July 19, 2024, by 5:30 AM UTC

Title: Users may be unable to access various Microsoft 365 apps and services

User impact: Users may be unable to access various Microsoft 365 apps and services.

More info: Impact includes but is not limited to the following apps and services:

- OneDrive for Consumer: Users may be unable to access OneDrive for Business content.

- OneNote: Users may be unable to sync content, have delays syncing notebooks, or may be unable to open notebooks.

Current status: We're continuing to notice service health improvements and users will gradually see relief as our efforts progress. Concurrently, we're still developing a fix to address the underlying issue of this incident. We appreciate your organization's patience and understanding while we resolve this event.

Next update by: Friday, July 19, 2024, by 4:30 AM UTC

Title: Users may be unable to access various Microsoft 365 apps and services

User impact: Users may be unable to access various Microsoft 365 apps and services.

More info: Impact includes but is not limited to the following apps and services:

- OneDrive for Consumer: Users may be unable to access OneDrive for Business content.

- OneNote: Users may be unable to sync content, have delays syncing notebooks, or may be unable to open notebooks.

Current status: We’re still observing a positive trend of service availability as our mitigation efforts progress. In parallel, we are working on a mitigation to address the suspected root cause of this event. We remain committed to treating this incident with the highest priority to ensure it resolves in a timely manner.

Next update by: Friday, July 19, 2024, by 3:30 AM UTC

Title: Users may be unable to access various Microsoft 365 apps and services

User impact: Users may be unable to access various Microsoft 365 apps and services.

More info: Impact includes but is not limited to the following apps and services:

- OneDrive for Consumer: Users may be unable to access OneDrive for Business content.

- OneNote: Users may be unable to sync content, have delays syncing notebooks, or may be unable to open notebooks.

Current status: Our internal telemetry and customer signals indicate that service availability is gradually returning to a healthy state following our traffic redirection efforts. We have also identified a potential root cause that may have contributed to the impact. Our team is currently validating these findings and our mitigation strategy to ensure the issue is resolved as quickly as possible.

Next update by: Friday, July 19, 2024, by 2:30 AM UTC

Title: Users may be unable to access various Microsoft 365 apps and services

User impact: Users may be unable to access various Microsoft 365 apps and services.

More info: Impact includes but is not limited to the following apps and services:

- OneDrive for Consumer: Users may be unable to access OneDrive for Business content.

- OneNote: Users may be unable to sync content, have delays syncing notebooks, or may be unable to open notebooks.

Current status: We remain focused on redirecting the impacted traffic to healthy systems as we investigate the root cause. Your organization may experience relief as our mitigation efforts progress. We understand the impact that this issue may have on your organization and we're continuing to treat this event with the highest priority.

Next update by: Friday, July 19, 2024, by 1:30 AM UTC

Title: Users may be unable to access various Microsoft 365 apps and services

User impact: Users may be unable to access various Microsoft 365 apps and services.

More info: Impact includes but is not limited to the following apps and services:

- OneDrive for Consumer: Users may be unable to access OneDrive for Business content.

Current status: We're rerouting affected traffic out of the impacted infrastructure while we continue to investigate the cause of the issue.

Next update by: Friday, July 19, 2024, by 12:30 AM UTC

Researchers uncovered a new campaign with FakeUpdates, also known as SocGolish, targeting and compromising WordPress websites with hacked admin accounts. Meanwhile, Play entered the top three of most wanted ransomware groups and education remained the most attacked sector worldwide

Our latest Global Threat Index for February 2024 saw researchers uncover a fresh FakeUpdates campaign compromising WordPress websites. These sites were infected using hacked wp-admin administrator accounts, with the malware adapting its tactics to infiltrate websites by utilizing altered editions of authentic WordPress plugins, and tricking individuals into downloading a Remote Access Trojan. Meanwhile, even following its takedown towards the end of February, Lockbit3 remained the most prevalent ransomware group, responsible for 20% of published attacks, and education continued to be the most impacted industry worldwide.

FakeUpdates, also known as SocGholish, has been operational since at least 2017, and uses JavaScript malware to target websites, especially those with content management systems. Often ranked the most prevalent malware in the Threat Index, the FakeUpdates malware aims to trick users into downloading malicious software and despite efforts to stop it, it remains a significant threat to website security and user data. This sophisticated malware variant has previously been associated with the Russian cybercrime group known as Evil Corp. Due to its downloader functionality, it is believed that the group monetizes the malware by selling access to the systems that it infects, leading to other malware infections if the group provides access to multiple customers.

Websites are the digital storefronts of our world, crucial for communication, commerce, and connection. Defending them from cyberthreats isn’t just about safeguarding code; it is about protecting our online presence and the essential functions of our interconnected society. If cybercriminals choose to use them as a vehicle to covertly spread malware, that could impact future revenue generation and the reputation of an organization. It is vital to put preventative measures in and adopt a culture of zero tolerance to ensure absolute protection from threats.

Released March 7, 2024

Safari Private Browsing

Available for: macOS Monterey and macOS Ventura

Impact: Private Browsing tabs may be accessed without authentication

Description: This issue was addressed through improved state management.

CVE-2024-23273: Matej Rabzelj

WebKit

Available for: macOS Monterey and macOS Ventura

Impact: Processing web content may lead to a denial-of-service

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 263758
CVE-2024-23252: anbu1024 of SecANT

WebKit

Available for: macOS Monterey and macOS Ventura

Impact: A malicious website may exfiltrate audio data cross-origin

Description: The issue was addressed with improved UI handling.

WebKit Bugzilla: 263795
CVE-2024-23254: James Lee (@Windowsrcer)

WebKit

Available for: macOS Monterey and macOS Ventura

Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced

Description: A logic issue was addressed with improved validation.

WebKit Bugzilla: 264811
CVE-2024-23263: Johan Carlsson (joaxcar)

WebKit

Available for: macOS Monterey and macOS Ventura

Impact: A maliciously crafted webpage may be able to fingerprint the user

Description: An injection issue was addressed with improved validation.

WebKit Bugzilla: 266703
CVE-2024-23280: an anonymous researcher

WebKit

Available for: macOS Monterey and macOS Ventura

Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced

Description: A logic issue was addressed with improved state management.

WebKit Bugzilla: 267241
CVE-2024-23284: Georg Felber and Marco Squarcina

Additional recognition

Safari

We would like to acknowledge Abhinav Saraswat and Matthew C for their assistance.

Released March 7, 2024

Admin Framework

Available for: macOS Monterey

Impact: An app may be able to elevate privileges

Description: A logic issue was addressed with improved checks.

CVE-2024-23276: Kirin (@Pwnrin)

Airport

Available for: macOS Monterey

Impact: An app may be able to read sensitive location information

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2024-23227: Brian McNulty

AppleMobileFileIntegrity

Available for: macOS Monterey

Impact: An app may be able to modify protected parts of the file system

Description: A downgrade issue affecting Intel-based Mac computers was addressed with additional code-signing restrictions.

CVE-2024-23269: Mickey Jin (@patch1t)

ColorSync

Available for: macOS Monterey

Impact: Processing a file may lead to unexpected app termination or arbitrary code execution

Description: The issue was addressed with improved memory handling.

CVE-2024-23247: m4yfly with TianGong Team of Legendsec at Qi'anxin Group

CoreCrypto

Available for: macOS Monterey

Impact: An attacker may be able to decrypt legacy RSA PKCS#1 v1.5 ciphertexts without having the private key

Description: A timing side-channel issue was addressed with improvements to constant-time computation in cryptographic functions.

CVE-2024-23218: Clemens Lang

Dock

Available for: macOS Monterey

Impact: An app from a standard user account may be able to escalate privilege after admin user login

Description: A logic issue was addressed with improved restrictions.

CVE-2024-23244: Csaba Fitzl (@theevilbit) of OffSec

Image Processing

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2024-23270: an anonymous researcher

ImageIO

Available for: macOS Monterey

Impact: Processing an image may lead to arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2024-23286: Dohyun Lee (@l33d0hyun)

ImageIO

Available for: macOS Monterey

Impact: Processing an image may result in disclosure of process memory

Description: The issue was addressed with improved memory handling.

CVE-2024-23257: Junsung Lee working with Trend Micro Zero Day Initiative

Intel Graphics Driver

Available for: macOS Monterey

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved input validation.

CVE-2024-23234: Murray Mike

Kerberos v5 PAM module

Available for: macOS Monterey

Impact: An app may be able to modify protected parts of the file system

Description: The issue was addressed with improved checks.

CVE-2024-23266: Pedro Tôrres (@t0rr3sp3dr0)

Kernel

Available for: macOS Monterey

Impact: An app may be able to cause unexpected system termination or write kernel memory

Description: A memory corruption vulnerability was addressed with improved locking.

CVE-2024-23265: Xinru Chi of Pangu Lab

Kernel

Available for: macOS Monterey

Impact: An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.

Description: A memory corruption issue was addressed with improved validation.

CVE-2024-23225

libxpc

Available for: macOS Monterey

Impact: An app may be able to cause a denial-of-service

Description: A permissions issue was addressed with additional restrictions.

CVE-2024-23201: Koh M. Nakagawa of FFRI Security, Inc. and an anonymous researcher

MediaRemote

Available for: macOS Monterey

Impact: An app may be able to access sensitive user data

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-28826: Meng Zhang (鲸落) of NorthSea

Metal

Available for: macOS Monterey

Impact: An application may be able to read restricted memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2024-23264: Meysam Firouzi @R00tkitsmm working with Trend Micro Zero Day Initiative

Notes

Available for: macOS Monterey

Impact: An app may be able to access user-sensitive data

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2024-23283

PackageKit

Available for: macOS Monterey

Impact: An app may be able to elevate privileges

Description: An injection issue was addressed with improved input validation.

CVE-2024-23274: Bohdan Stasiuk (@Bohdan_Stasiuk)

CVE-2024-23268: Mickey Jin (@patch1t), and Pedro Tôrres (@t0rr3sp3dr0)

PackageKit

Available for: macOS Monterey

Impact: An app may be able to access protected user data

Description: A race condition was addressed with additional validation.

CVE-2024-23275: Mickey Jin (@patch1t)

PackageKit

Available for: macOS Monterey

Impact: An app may be able to bypass certain Privacy preferences

Description: The issue was addressed with improved checks.

CVE-2024-23267: Mickey Jin (@patch1t)

PackageKit

Available for: macOS Monterey

Impact: An app may be able to overwrite arbitrary files

Description: A path handling issue was addressed with improved validation.

CVE-2024-23216: Pedro Tôrres (@t0rr3sp3dr0)

SharedFileList

Available for: macOS Monterey

Impact: An app may be able to access sensitive user data

Description: This issue was addressed with improved file handling.

CVE-2024-23230: Mickey Jin (@patch1t)

Shortcuts

Available for: macOS Monterey

Impact: A shortcut may be able to use sensitive data with certain actions without prompting the user

Description: The issue was addressed with additional permissions checks.

CVE-2024-23204: Jubaer Alnazi (@h33tjubaer)

Shortcuts

Available for: macOS Monterey

Impact: Third-party shortcuts may use a legacy action from Automator to send events to apps without user consent

Description: This issue was addressed by adding an additional prompt for user consent.

CVE-2024-23245: an anonymous researcher

Storage Services

Available for: macOS Monterey

Impact: A user may gain access to protected parts of the file system

Description: A logic issue was addressed with improved checks.

CVE-2024-23272: Mickey Jin (@patch1t)

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: March 07, 2024

iOS 17.1 and iPadOS 17.1

iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

iOS 16.7.2 and iPadOS 16.7.2

iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

iOS 15.8 and iPadOS 15.8

iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

macOS Sonoma 14.1

macOS Sonoma

macOS Ventura 13.6.1

macOS Ventura

macOS Monterey 12.7.1

macOS Monterey

tvOS 17.1

Apple TV HD and Apple TV 4K (all models)

watchOS 10.1

Apple Watch Series 4 and later

Safari 17.1

macOS Monterey and macOS Ventura

Created Date: 2023-09-20 |  Last Modified: 2023-09-20

Microsoft's free upgrade offer for Windows 10 / 11 ended July 29, 2016. The installation path to obtain the Windows 7 / 8 free upgrade is now removed as well. Upgrades to Windows 11 from Windows 10 are still free.

Details

To upgrade to Windows 11, devices must meet the Windows 11 minimum system requirements. Some Windows 10 features aren't available in Windows 11. System requirements to experience some Windows 11 features and apps will exceed the Windows 11 minimum system requirements. Find Windows 11 specs, features, and computer requirements.

Get Windows 11 - How to Get Windows 11 for Your Compatible PC | Microsoft.

Information about the My Photo Stream shutdown

My Photo Stream is shutting down on July 26, 2023. Learn more about this transition and how to keep your photos up to date across all your devices and safely stored in iCloud.

My Photo Stream is scheduled to be shut down on July 26, 2023. 

As part of this transition, new photo uploads to My Photo Stream from your devices will stop one month before, on June 26, 2023. Any photos uploaded to the service before that date will remain in iCloud for 30 days from the date of upload and will be available to any of your devices where My Photo Stream is currently enabled. By July 26, 2023, there will be no photos remaining in iCloud, and the service will be shut down. 

The photos in My Photo Stream are already stored on at least one of your devices, so as long as you have the device with your originals, you won’t lose any photos as part of this process. If a photo you want isn't already in your library on a particular iPhone, iPad, or Mac, make sure that you save it to your library on that device. 

Moving forward, iCloud Photos is the best way to keep the photos and videos you take up to date across all your devices and safely stored in iCloud. 

Save photos currently in My Photo Stream

If your photos currently in My Photo Stream aren’t already in your library, you can save them to your device.

On your iPhone, iPad, or iPod touch

1. Open Photos and tap Albums.

2. Tap My Photo Stream > Select. 

3. Tap the photos that you want to save, then tap the Share button  > Save Image.

On your Mac

1. Open the Photos app, then open the My Photo Stream album. 

2. Select any photos you want to save that aren't currently in your photo library.

3. Drag them from the My Photo Stream album to your Library. 

Set up iCloud Photos

You can turn on iCloud Photos on any iPhone with iOS 8.3 or later, iPad with iPadOS 8.3 or later, or Mac with OS X Yosemite or later. After that, you can view your photos and videos in the Photos app on your iPhone, iPad, Mac, Apple TV, iCloud.com, and even sync them to a Windows PC using iCloud for Windows. 

Learn how to set up iCloud Photos on all of your devices

Published Date: May 26, 2023

Information about the My Photo Stream shutdown

My Photo Stream is shutting down on July 26, 2023. Learn more about this transition and how to keep your photos up to date across all your devices and safely stored in iCloud.

My Photo Stream is scheduled to be shut down on July 26, 2023. 

As part of this transition, new photo uploads to My Photo Stream from your devices will stop one month before, on June 26, 2023. Any photos uploaded to the service before that date will remain in iCloud for 30 days from the date of upload and will be available to any of your devices where My Photo Stream is currently enabled. By July 26, 2023, there will be no photos remaining in iCloud, and the service will be shut down. 

The photos in My Photo Stream are already stored on at least one of your devices, so as long as you have the device with your originals, you won’t lose any photos as part of this process. If a photo you want isn't already in your library on a particular iPhone, iPad, or Mac, make sure that you save it to your library on that device. 

Moving forward, iCloud Photos is the best way to keep the photos and videos you take up to date across all your devices and safely stored in iCloud. 

Save photos currently in My Photo Stream

If your photos currently in My Photo Stream aren’t already in your library, you can save them to your device.

On your iPhone, iPad, or iPod touch

1. Open Photos and tap Albums.

2. Tap My Photo Stream > Select. 

3. Tap the photos that you want to save, then tap the Share button  > Save Image.

On your Mac

1. Open the Photos app, then open the My Photo Stream album. 

2. Select any photos you want to save that aren't currently in your photo library.

3. Drag them from the My Photo Stream album to your Library. 

Set up iCloud Photos

You can turn on iCloud Photos on any iPhone with iOS 8.3 or later, iPad with iPadOS 8.3 or later, or Mac with OS X Yosemite or later. After that, you can view your photos and videos in the Photos app on your iPhone, iPad, Mac, Apple TV, iCloud.com, and even sync them to a Windows PC using iCloud for Windows. 

Learn how to set up iCloud Photos on all of your devices

Published Date: May 26, 2023

macOS Ventura 13.4.1

Released June 21, 2023

Kernel

Available for: macOS Ventura

Impact: An app may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.

Description: An integer overflow was addressed with improved input validation.

CVE-2023-32434: Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky

WebKit

Available for: macOS Ventura

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A type confusion issue was addressed with improved checks.

WebKit Bugzilla: 256567

CVE-2023-32439: an anonymous researcher

The latest version of iOS and iPadOS is 16.3.1. Learn how to update the software on your iPhone, iPad, or iPod touch.

macOS Ventura 13.2.1

This update provides important bug fixes and security updates for your Mac.

Problems with Office 365 and older operating systems and devices.

About the security content of iOS 15.7 and iPadOS 15.7

This document describes the security content of iOS 15.7 and iPadOS 15.7.

About Apple security updates

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

iOS 15.7 and iPadOS 15.7

Released September 12, 2022

Contacts

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to bypass Privacy preferences

Description: This issue was addressed with improved checks.

CVE-2022-32854: Holger Fuhrmannek of Deutsche Telekom Security

Kernel

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2022-32911: Zweig of Kunlun Lab

Kernel

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to disclose kernel memory

Description: The issue was addressed with improved memory handling.

CVE-2022-32864: Linus Henze of Pinauten GmbH (pinauten.de)

Kernel

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved bounds checks.

CVE-2022-32917: an anonymous researcher

Maps

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An app may be able to read sensitive location information

Description: A logic issue was addressed with improved restrictions.

CVE-2022-32883: Ron Masas, breakpointhq.com

MediaLibrary

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A user may be able to elevate privileges

Description: A memory corruption issue was addressed with improved input validation.

CVE-2022-32908: an anonymous researcher

Safari

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Visiting a malicious website may lead to address bar spoofing

Description: This issue was addressed with improved checks.

CVE-2022-32795: Narendra Bhati of Suma Soft Pvt. Ltd. Pune (India) @imnarendrabhati

Safari Extensions

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A website may be able to track users through Safari web extensions

Description: A logic issue was addressed with improved state management.

WebKit Bugzilla: 242278
CVE-2022-32868: Michael

Shortcuts

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A person with physical access to an iOS device may be able to access photos from the lock screen

Description: A logic issue was addressed with improved restrictions.

CVE-2022-32872: Elite Tech Guru

WebKit

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

WebKit Bugzilla: 241969
CVE-2022-32886: P1umer, afang5472, xmzyshypnc

WebKit

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

WebKit Bugzilla: 242762
CVE-2022-32912: Jeonghoon Shin (@singi21a) at Theori working with Trend Micro Zero Day Initiative

Additional recognition

Game Center

We would like to acknowledge Joshua Jones for their assistance.

Identity Services

We would like to acknowledge Joshua Jones for their assistance.