Apple patches yet another zero-day flaw in substantial security update

Apple has released a large package of security fixes for various bugs in iOS and iPadOS including four code-execution flaws and one serious zero-day.

The most significant of the 11 total security issues was the zero-day vulnerability that allowed hackers to potentially execute arbitrary code with kernel privileges - the most serious kind.

Apple said it is aware of a report that the issue may have been actively exploited in the wild. A zero-day vulnerability is characterised as a security flaw that was previously unknown to the affected vendor but not patched.

Tracked as CVE-2022-32917, the vulnerability was one of the four code-execution bugs patched in the update and the eighth zero-day Apple has patched this year.

It was not the only other bug that could be exploited with kernel privileges, though. The other is tracked as CVE-2022-32911 but unlike the first, this is not believed to be under active exploitation.

The other two were found in WebKit, Apple’s proprietary browser engine that’s used to power its Safari app, as well as all the in-app browsers found in apps allowed on Apple’s App Store.

They both may have allowed arbitrary code execution if a user accessed a maliciously crafted web page, but neither is thought to be under active exploitation either.

All of the security fixes apply to version 15.7 of each operating system (OS) which is the most recent version for iPads and the second most recent version for iPhones after iOS 16 was launched on Monday.

Affected devices are the same for all vulnerabilities in the list. These include all officially supported iPhones (iPhone 6s and newer), all iPad Pro models, iPad Air 2 and later, iPad 5th generation and later, iPad Mini 4 and later, and iPod touch (7th generation).

Also included in the package of patches were fixes for three separate privacy issues. The first of these impacted the affected devices’ Contacts app and Apple’s nondescript explanation of the issue offered very little other than: “an app may be able to bypass privacy preferences”.

Apple’s security advisories are famously brief in their explanation of each vulnerability and the potential capability of a method to exploit it. It’s unclear how another app could impact the privacy preferences of the contacts app.

“For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available,” it said in the update’s notes.

Apple’s Maps app also suffered a privacy issue whereby another app installed on an affected device may have been able to read “sensitive location information”.

Apple was equally as vague as to the finer details of this vulnerability, too, as it was with the third privacy flaw found in Safari’s web extensions.

Exploiting this vulnerability would potentially allow websites to track users through browser extensions in Apple’s Safari app.

Apple did not specify if this vulnerability would also circumvent its built-in App Tracking Transparency functionality introduced in iOS 14 or if websites could track users if they enabled the hiding of their IP address in the device’s settings.

Elsewhere, vulnerabilities potentially allowing photos to be accessed from the lock screen through the exploitation of Shortcuts, address bar spoofing in Safari, and privilege escalation flaws in MediaLibrary were also fixed.

Apple’s security updates rarely deliver this many fixes in one release but the update is potentially more impactful for iPad owners.

The security updates must be applied to Apple’s tablets but the vulnerabilities no longer affect the latest version of iOS, so if users updated to iOS 16 on Monday, then the fixes would automatically be ported over with the newer OS.

The latest iOS update brought with it several new security features for iPhone users and one of the most notable was the decoupled security updates.

Users would typically have had to wait for full iOS updates to receive new security patches but Apple is now releasing updates for its OS and security flaws separately so fixes can be applied more quickly.

The same security features will also be coming to iPad users when its iPadOS is eventually rolled out.

Apple has confirmed that the OS has been delayed by a month, although it is usually released at the same time as iOS.