IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Apple patches yet another zero-day flaw in substantial security update

The updates include fixes for kernel-level code execution bugs, privacy issues, and more - all impacting iPhone and iPad users

Apple has released a large package of security fixes for various bugs in iOS and iPadOS including four code-execution flaws and one serious zero-day.

The most significant of the 11 total security issues was the zero-day vulnerability that allowed hackers to potentially execute arbitrary code with kernel privileges - the most serious kind.

Apple said it is aware of a report that the issue may have been actively exploited in the wild. A zero-day vulnerability is characterised as a security flaw that was previously unknown to the affected vendor but not patched.

Tracked as CVE-2022-32917, the vulnerability was one of the four code-execution bugs patched in the update and the eighth zero-day Apple has patched this year. 

It was not the only other bug that could be exploited with kernel privileges, though. The other is tracked as CVE-2022-32911 but unlike the first, this is not believed to be under active exploitation.

The other two were found in WebKit, Apple’s proprietary browser engine that’s used to power its Safari app, as well as all the in-app browsers found in apps allowed on Apple’s App Store.

They both may have allowed arbitrary code execution if a user accessed a maliciously crafted web page, but neither is thought to be under active exploitation either.

All of the security fixes apply to version 15.7 of each operating system (OS) which is the most recent version for iPads and the second most recent version for iPhones after iOS 16 was launched on Monday.

Affected devices are the same for all vulnerabilities in the list. These include all officially supported iPhones (iPhone 6s and newer), all iPad Pro models, iPad Air 2 and later, iPad 5th generation and later, iPad Mini 4 and later, and iPod touch (7th generation).

Also included in the package of patches were fixes for three separate privacy issues. The first of these impacted the affected devices’ Contacts app and Apple’s nondescript explanation of the issue offered very little other than: “an app may be able to bypass privacy preferences”.

Apple’s security advisories are famously brief in their explanation of each vulnerability and the potential capability of a method to exploit it. It’s unclear how another app could impact the privacy preferences of the contacts app.

Related Resource

Storage's role in addressing the challenges of ensuring cyber resilience

Understanding the role of data storage in cyber resiliency

Whitepaper cover with title over a grey rectangle with header graphic and ESG logoFree Download

“For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available,” it said in the update’s notes.

Apple’s Maps app also suffered a privacy issue whereby another app installed on an affected device may have been able to read “sensitive location information”.

Apple was equally as vague as to the finer details of this vulnerability, too, as it was with the third privacy flaw found in Safari’s web extensions. 

Exploiting this vulnerability would potentially allow websites to track users through browser extensions in Apple’s Safari app. 

Apple did not specify if this vulnerability would also circumvent its built-in App Tracking Transparency functionality introduced in iOS 14 or if websites could track users if they enabled the hiding of their IP address in the device’s settings.

Elsewhere, vulnerabilities potentially allowing photos to be accessed from the lock screen through the exploitation of Shortcuts, address bar spoofing in Safari, and privilege escalation flaws in MediaLibrary were also fixed.

Apple’s security updates rarely deliver this many fixes in one release but the update is potentially more impactful for iPad owners. 

The security updates must be applied to Apple’s tablets but the vulnerabilities no longer affect the latest version of iOS, so if users updated to iOS 16 on Monday, then the fixes would automatically be ported over with the newer OS.

The latest iOS update brought with it several new security features for iPhone users and one of the most notable was the decoupled security updates.

Users would typically have had to wait for full iOS updates to receive new security patches but Apple is now releasing updates for its OS and security flaws separately so fixes can be applied more quickly.

The same security features will also be coming to iPad users when its iPadOS is eventually rolled out. 

Apple has confirmed that the OS has been delayed by a month, although it is usually released at the same time as iOS.

Featured Resources

Accelerating healthcare transformation through patient-centred medtech solutions

Seize the digital transformation opportunities to streamline patient care and optimise patient outcomes

Free Download

Big payoffs from big bets in AI-powered automation

Automation disruptors realise 1.5 x higher revenue growth

Free Download

Hyperscaler cloud service providers top ten

Why it's important for companies to consider hyperscaler cloud service providers, and why they matter

Free Download

Strategic app modernisation drives digital transformation

Address business needs both now and in the future

Free Download

Recommended

Android vs iOS: Which mobile OS is right for you?
Mobile

Android vs iOS: Which mobile OS is right for you?

30 Nov 2022
Best business smartphones 2022: The top handsets from Apple, Samsung, Google and more
Mobile

Best business smartphones 2022: The top handsets from Apple, Samsung, Google and more

11 Nov 2022
New macOS Ventura security features make for a compelling upgrade
operating systems

New macOS Ventura security features make for a compelling upgrade

25 Oct 2022
Apple patches actively exploited iPhone, iPad zero-day and 18 other security flaws
zero-day exploit

Apple patches actively exploited iPhone, iPad zero-day and 18 other security flaws

25 Oct 2022

Most Popular

Empowering employees to truly work anywhere
Sponsored

Empowering employees to truly work anywhere

22 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
Why Japan finds it so hard to digitally transform
digital transformation

Why Japan finds it so hard to digitally transform

1 Dec 2022