Results based

IT consulting

Equipping SaaS Businesses

up for a Scale

Apple Identifies new security vulnerabilities – Protecting yourself

Apple has recently announced the prevelance of a seroius security flaw in IOS/iPadOS 15.6.1 that affects all users. The august 17 announcement was relatively brief & quiet but obviously is being taken very seriously.

The security concerns are focused around the ability to execute unwanted code. The two vulnerabilites found in Webkit, & the Kernel, have since been patched with an available update for anyone that can run iOS/iPadOS 15 natively. The descriptions that were provided in the document are vague but explain that code could potentially be run on an apple device unknowningly while doing basic web browsing, making everyone vulnerable.

The code could even reach down to the keranl level. The Kernal is one of the lowest levels of iOS & controls all the other parts of the device being used. Malicious code with kernel privileges can effectively give someone complete access to any device still holding the software flaw. 

Available CVE codes for futher reseatch & understanding:
iOS/iPadOS
Kernel – CVE-2022-32894: an anonymous researcher
WebKit – CVE-2022-32893: an anonymous researcher
macOS
Kernel – CVE-2022-32894: an anonymous researcher
Webkit – CVE-2022-32893: an anonymous researcher

Apple recently released updates to all applicable users & ackowledged that there is a report of the exploit being used actively to compromise devices but would not provide more specific details pressumably in the hopes of reducing any added attention from attackers that could be interested in exploiting the breach on users who are slower to update.

Being able to run code on a device via a weblink is powerful & rare. The first thing you can do to make sure that you protect yoursefl is obviously to make sure that your devices are up to date. Apple works hard to patch their software & remove vulnerabilities as quickly as they can, but it means nothing if you don’t bother to update your device. Many people have reservations about blindly updating their devices but this is an important security update that could compromise your entire device without the patch.

Thankfully, due to the nature of delivering the unwanted code (via url) there is no known evidence to support the idea that this was some sort of widespread hack or data breach. Anyone affected by the vulnerabilities would essentially need to be targetd rather than just widely hacked. This reduces the number of oppourtunities for attackers to strike since they would first need to inducidually pick thier victim & would then only be successful if their victim hadn’t bothered to updtate to the newer IOS.

Less publicly talked ahout were the similar vulnerabilities that were found in macOS 12.5. Given the fundamental differences that exisist between macOS, & iOS (or iPadOS), it would have been plausible to believe that that macOS was not affected. Since it has been affected, we can assume that the vullnerabilities are fundamental & could affect all apple devices, new & old. 

The researcher who initially brought the issue to apple’s attention chose to remain annonymous, likely to reduce the amount of atention they would get by signing their name as the vulnerabilitie’s discoverer. You can find a more detailed report of the vulnerability by looking for the CVE code that is avaiable on almost all if not all published security document that apple releasees.