2022.0818 Apple Security Concern

About Apple security updates

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

Safari 15.6.1

Released August 18, 2022

WebKit

Available for: macOS Big Sur and macOS Catalina

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds write issue was addressed with improved bounds checking.

WebKit Bugzilla: 243557
CVE-2022-32893: an anonymous researcher


About the security content of iOS 15.6.1 and iPadOS 15.6.1

This document describes the security content of iOS 15.6.1 and iPadOS 15.6.1.

About Apple security updates

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.


iOS 15.6.1 and iPadOS 15.6.1

Released August 17, 2022

Kernel

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-32894: an anonymous researcher

WebKit

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds write issue was addressed with improved bounds checking.

WebKit Bugzilla: 243557
CVE-2022-32893: an anonymous researcher


About the security content of macOS Monterey 12.5.1

This document describes the security content of macOS Monterey 12.5.1.

About Apple security updates

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.


macOS Monterey 12.5.1

Released August 17, 2022

Kernel

Available for: macOS Monterey

Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2022-32894: an anonymous researcher

WebKit

Available for: macOS Monterey

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: An out-of-bounds write issue was addressed with improved bounds checking.

WebKit Bugzilla: 243557
CVE-2022-32893: an anonymous researcher


New macOS 12.5.1 and iOS 15.6.1 updates patch “actively exploited” vulnerabilities

The two vulnerabilities are the same for all three operating systems, with the first tracked as CVE-2022-32894. This vulnerability is an out-of-bounds write vulnerability in the operating system's Kernel.

The kernel is a program that operates as the core component of an operating system and has the highest privileges in macOS, iPadOS, and iOS.

An application, such as malware, can use this vulnerability to execute code with Kernel privileges. As this is the highest privilege level, a process would be able to perform any command on the device, effectively taking complete control over it.

The second zero-day vulnerability is CVE-2022-32893 and is an out-of-bounds write vulnerability in WebKit, the web browser engine used by Safari and other apps that can access the web.

Apple says this flaw would allow an attacker to perform arbitrary code execution and, as it's in the web engine, could likely be exploited remotely by visiting a maliciously crafted website.

The bugs were reported by anonymous researchers and fixed by Apple in iOS 15.6.1,  iPadOS 15.6.1, and macOS Monterey 12.5.1 with improved bounds checking for both bugs.

The list of devices affected by both vulnerabilities are:

  • Macs running macOS Monterey

  • iPhone 6s and later

  • iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).


Update, Aug. 18, 3:45 p.m.: Apple has released the Safari 15.6.1 update for macOS Big Sur and Catalina to patch the WebKit vulnerability it fixed in macOS Monterey yesterday. Still no word on whether the kernel vulnerability is present in either of these older operating systems, but we'll update if Apple responds to our query.

Original story: Apple has released a trio of operating system updates to patch security vulnerabilities that it says "may have been actively exploited." The macOS 12.5.1, iOS 15.6.1, and iPadOS 15.6.1 updates are available for download now and should be installed as soon as possible.

The three updates all fix the same pair of bugs. One, labeled CVE-2022-32894, is a kernel vulnerability that can allow apps "to execute arbitrary code with kernel privileges. The other, CVE-2022-32893, is a WebKit bug that allows for arbitrary code execution via "maliciously crafted web content." Both discoveries are attributed to an anonymous security researcher. WebKit is used in the Safari browser as well as in apps like Mail that use Apple's WebViews to render and display content.

Apple didn't release equivalent security patches for macOS Catalina or Big Sur, two older versions of macOS that are still receiving regular security updates. We've contacted Apple to see whether it plans to release these patches for these older OSes, or if they aren't affected by the bugs and don't need to be patched.

Apple's software release notes for the updates don't reference any other fixes or features. Apple is actively developing iOS 16, iPadOS 16, and macOS Ventura, and those updates are due out later this fall.