Euro Security Watch with Mathew J. Schwartz

Patch Now: Apple Bashes Bugs Being Actively Exploited

No, the Sky Isn't Falling; Yes, Do Patch Quickly to Minimize Attack Surface
Patch Now: Apple Bashes Bugs Being Actively Exploited

Calling all Apple users: It's time to once again patch your devices to protect them against two zero-day vulnerabilities that attackers are actively exploiting in the wild.

See Also: Live Virtual Summit | Measuring Your Data's Risk & The Cost of Unpreparedness

To fix the flaws, Apple has announced the release of iOS 15.6.1 and iPadOS 15.6.1 and macOS Monterey 12.5.1.

The view from the U.S. government: Patch now; don't wait. "An attacker could exploit one of these vulnerabilities to take control of an affected device," warns the Cybersecurity and Infrastructure Security Agency.

Likewise, the Department of Health and Human Services warns that threat actors could use the exploits to compromise iOS devices used in the healthcare sector.

"Apple is aware of a report that this issue may have been actively exploited," the company says of the flaws.

My takeaway: The sky is not falling. Everyone should still update their devices as quickly as possible, because the serious flaws could be quickly seized on by a number of attackers to cause serious damage.

"Not many previous vulnerabilities have enabled attackers to take complete control of the device," says Alan Woodward, a professor of computer science at the University of Surrey. But such critical flaws are found regularly, including in February.

The new flaws in iOS include a vulnerability in the kernel, CVE-2022-32894, which an attacker could exploit to allow an application to "execute arbitrary code with kernel privileges," Apple says.

The other vulnerability is CVE-2022-32893, present in the open-source web browser engine WebKit, which is used across iOS and Apple devices. Apple says unpatched exposure to "maliciously crafted web content may lead to arbitrary code execution."

It's possible attackers chained the two vulnerabilities together - for example, exploiting WebKit and using it to pivot to the kernel vulnerability.

"Vulnerabilities in WebKit have the potential to go so deep into iOS it's always worth updating when they find one," Woodward says.

WebKit Bug Report: Flaw in JavaScriptCore

Apple's security alert links to a bug report on the WebKit Bugzilla site, which allows researchers to file bug reports. The report credits Yusuke Suzuki with reporting the flaw. The listing says the vulnerability is present in WebKit's JavaScriptCore, which is the JavaScript engine used by macOS, iOS, Mail, App Store and other apps.

Both flaws are also present in macOS version 12.5.x, aka Monterey, for which Apple has released 12.5.1 to fix the flaws.

Apple has also released Safari 15.6.1 to patch the WebKit flaw.

The Value of Zero-Days

Again, these security patches are no reason to panic. But ideally, do ensure that you've enabled auto-updates, and in Woodward's words, apply the fix "at your earliest convenience." See "Settings: General: Software update."

It's not clear how these zero-day flaws might have been used to target individuals or who was the target. Apple didn't respond to a request for comment.

Apple zero-day vulnerabilities can be extremely valuable and command high prices from nation-state attack groups and commercial spyware developers such as Israel-based NSO Group and Candiru.

"They are by far the most valuable zero-days, worth millions of dollars, depending on the nature of the vulnerability," says Rob Graham, head of Georgia-based consultancy Errata Security.

By quietly putting these flaws to work, attackers can gain root access to phones, allowing them - or their customers - to spy on users undetected (see: Tech Alone Won't Defeat Advanced Spyware, US Congress Told).

Dissidents, human right defenders and journalists aside, most people aren't at risk from advanced spyware. But once a vendor publicly details flaws, both security researchers and criminals often reverse-engineer them in record time. Thus experts' advice to patch as quickly as possible.

Real-World Patch Practices

Do users patch quickly, not least when it comes to mobile devices? It's difficult to get accurate statistics on that front for either Apple or Android.

What is clear is market share: Statcounter reports that Android runs on 72% of global devices; iOS runs on 28%.

But the view is different inside enterprises. Duo Security, part of Cisco, last year reported that there are about twice as many devices running iOS than Android in corporate environments. Apple users also seem to be quicker at installing fixes.

"On average, iOS devices were 40% more likely to be updated within 30 days of a security update or patch, compared to Android devices," Duo reports.

Updates: Apple vs. Android

Patch availability, especially after a zero-day vulnerability becomes public knowledge, differs widely between the two ecosystems.

Apple guarantees security updates for devices for at least five years, but some devices getting fixes this week are as old as seven years. Specifically, Apple says updates are available for "iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)."

Because Apple controls all hardware that runs iOS, one benefit its ecosystem has compared to Android phones is that when Apple publicly announces that a vulnerability has been patched, the patch is immediately available for supported devices.

Android device owners suffer a lag time between when the Android Open Source Project releases security updates and manufacturers develop, test and then ship a new version of Android that will run on their devices. Any delay leaves users at risk, and attackers often reverse-engineer and quickly target the flaws.

But no device is immune to being hacked, especially by advanced attackers potentially wielding zero-day exploits. Last month, Apple announced that it will be debuting a new Lockdown Mode in a forthcoming version of iOS. When activated, it will reduce the attack surface by making certain message attachments inaccessible, complicating FaceTime calls from unknown contacts and more.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.