How do the latest iPhone updates address Cybersecurity issues?

Read Time:5 Minute, 41 Second

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Apple is typically known for its minimal design, user-friendly UI, and hardware. But, the success of their products, especially iPhones, has long relied upon timely cybersecurity updates and their effectiveness. The prolonged support that they promise to their devices, in addition to hardware, also revolves around the OS and security updates.

That’s why you may still see security updates for older devices that aren’t upgradable to iOS 16 still being released. We’ll talk about a few latest security updates that have recently surfaced because of known and unknown vulnerabilities.

However, as a user, you may like to know how these updates are prioritized and why you should update your devices regularly.

Every vulnerability that has been detected gets ranked by a Common Vulnerability Scoring System (CVSS) and is denoted by a CVE serial number (CVE-Year-XXXXXX) that is used to track its status. For example, the log4j vulnerability, which impacted millions of systems worldwide, was ranked 10 out of 10. The updates are prioritized and released depending on that score. 

iOS 15.7.2 security update

The major security updates of iOS 15.7.2 are discussed below.

AppleAVD (Malicious Video File)

With a CVSS score of 7.8 and regarded as a high risk, AppleAVD vulnerability (CVE-2022-46694) increases the potential risk of a malicious video file writing out-of-bound and executing kernel code. Although user interaction is required for the vulnerability to be efficacious, risky downloaded videos may present issues with privacy and cybersecurity with this. The vulnerability was patched with improved input validation.  

AVEVideoEncoder (Kernel Privileges)

Like AppleAVD, AVEVideoEncoder vulnerability (CVE-2022-42848) also has a 7.8 CVSS score. However, the difference between these two is the AVEVideoEncoder vulnerability is related to an app that can access kernel privileges through user interaction and execute arbitrary code to jeopardize user security. The issue was fixed with improved checks.  

File System (Sandbox Issue)

In cybersecurity, sandbox defines a virtually isolated environment to run, observe, and analyze code. Typically, sandboxing is facilitated to imitate user interaction without involving active users. However, in complex operating systems like iOS, each app is caged in its own sandbox to limit its activity. The File System Vulnerability (CVE-2022-426861) revolves around malicious apps breaking out of the sandbox and executing kernel code. As it doesn’t require user interaction to act maliciously, it has a very high CVSS rating of 8.8. The issue was patched with improved checks. This vulnerability is one of the most critical reasons why you should stay updated with the latest iPhone releases.

Graphics Driver (Malicious Video File, System Termination)

With a medium CVSS rating of 5.5, the CVE-2022-42846 Graphics Driver vulnerability is capable of terminating systems through buffer overflow with malicious video files crafted for that particular purpose. Although user interaction is required, the impact of such attacks has severe implications on user experience and integrity. The issue was patched in the security update 15.7.2 with improved memory handling.

libxml2

libXML2 is generally used for parsing XML documents that transport text files containing structured data. This particular vulnerability with libxml2 (CVE-2022-40304) is assigned a CVSS base score of 7.8 and is capable of corrupting a hash table key—ultimately leading to logic errors—making the programs behave arbitrarily. This issue had occurred due to an integer overflow and was mitigated through improved input validation. 

WebKit (Processing Malicious Web Content)

Websites without security certifications and compliances often contain malicious codes that may lead to cybersecurity issues. As these malicious actors do their best to hide the fact, this particular WebKit issue (CVE-2022-46691) comes with a CVSS score of 8.8 and is considered a direct threat to the security of iPhones and iPads. This was patched in the latest update through improved memory handling.

iOS 16.2 security update

Most of the updates mentioned in the 15.7.2 update are also present in the 16.2 security patch released on 13th December 2022 for devices like the Apple iPhone 14 Plus. We won’t be discussing them again unless there is a major difference present in how the vulnerability was patched.

Accounts (Unauthorized User Access)

The CVE-2022-42843 vulnerability, AKA Accounts, is a 5.5-grade low-level issue that has been patched in the 16.2 security update. The issue mainly revolves around users viewing sensitive information of other users. While it has a high confidentiality impact, it doesn’t particularly affect the integrity of the apps or the database. The issue was fixed through improved data protection measures.

AppleMobileFileIntegrity (Bypass Privacy Preferences)

Privacy is considered paramount for iPhones. Although still a medium risk (5.5) vulnerability, the AppleMobileFileIntegrity issue (CVE-2022-42865) was prioritized in the recent updates due to apps using this to bypass privacy preferences and breach user confidentiality. This issue was fixed by enabling hardened runtime that prevents code injection, process memory tampering, and DLL hijacking.

CoreServices (Removal of Vulnerable Code)

Owing to the close nature of Apple, the CoreServices update (CVE-2022-42859) doesn’t specify any major changes that were made to the codes, but it promises to have removed a piece of vulnerable code that could enable an app to bypass privacy preferences to jeopardize confidentiality. The CVSS score is a medium 5.5 for this update.

GPU Drivers (Disclose Kernel Memory)

An issue with the GPU drivers in the CVE-2022-46702 vulnerability was detected for a malicious app to be able to disclose kernel memory. Kernel memory is strictly local memory loaded in the physical device’s RAM. As user interaction is required for the app to act maliciously, a medium 5.5 CVSS score was given. The issue was fixed to better memory handling.

ImageIO (Arbitrary Code Execution)

Mostly related to iCloud, but also seen in iOS itself, ImageIO issue with CVE-2022-46693 was detected to empower malicious files to execute arbitrary code. It was given a high CVSS score of 7.8 due to the arbitrary nature of the vulnerability. However, it requires user interaction, like locating and downloading that file(s). This out-of-bound issue was mitigated through improved input validation.

The bottom line

As you may already have understood, these updates are critical for your device to function securely and keep you safe from identity thefts and literal monetary risks. As these vulnerabilities are often made public for development purposes, malicious criminals often try to target devices that are yet to be updated. Therefore, you shouldn’t wait even a single day to install them.

Read More

CVE-2014-125046

Read Time:17 Second

A vulnerability, which was classified as critical, was found in Seiji42 cub-scout-tracker. This affects an unknown part of the file databaseAccessFunctions.js. The manipulation leads to sql injection. The name of the patch is b4bc1a328b1f59437db159f9d136d9ed15707e31. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217551.

Read More

CVE-2014-125043

Read Time:19 Second

A vulnerability, which was classified as problematic, has been found in vicamo NetworkManager. Affected by this issue is the function send_arps of the file src/devices/nm-device.c. The manipulation leads to unchecked return value. The name of the patch is 4da19b89815cbf6e063e39bc33c04fe4b3f789df. It is recommended to apply a patch to fix this issue. VDB-217514 is the identifier assigned to this vulnerability.

Read More

CVE-2014-125042

Read Time:21 Second

A vulnerability classified as problematic was found in vicamo NetworkManager. Affected by this vulnerability is the function nm_setting_vlan_add_priority_str/nm_utils_rsa_key_encrypt/nm_setting_vlan_add_priority_str. The manipulation leads to missing release of resource. The name of the patch is afb0e2c53c4c17dfdb89d63b39db5101cc864704. It is recommended to apply a patch to fix this issue. The identifier VDB-217513 was assigned to this vulnerability.

Read More

USN-5789-1: Linux kernel (OEM) vulnerabilities

Read Time:2 Minute, 0 Second

It was discovered that the NFSD implementation in the Linux kernel did not
properly handle some RPC messages, leading to a buffer overflow. A remote
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2022-43945)

Jann Horn discovered that the Linux kernel did not properly track memory
allocations for anonymous VMA mappings in some situations, leading to
potential data structure reuse. A local attacker could use this to cause a
denial of service (system crash) or possibly execute arbitrary code.
(CVE-2022-42703)

Roger Pau Monné discovered that the Xen virtual block driver in the Linux
kernel did not properly initialize memory pages to be used for shared
communication with the backend. A local attacker could use this to expose
sensitive information (guest kernel memory). (CVE-2022-26365)

Jan Beulich discovered that the Xen network device frontend driver in the
Linux kernel incorrectly handled socket buffers (skb) references when
communicating with certain backends. A local attacker could use this to
cause a denial of service (guest crash). (CVE-2022-33743)

It was discovered that a memory leak existed in the IPv6 implementation of
the Linux kernel. A local attacker could use this to cause a denial of
service (memory exhaustion). (CVE-2022-3524)

It was discovered that a race condition existed in the Bluetooth subsystem
in the Linux kernel, leading to a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2022-3564)

It was discovered that the TCP implementation in the Linux kernel contained
a data race condition. An attacker could possibly use this to cause
undesired behaviors. (CVE-2022-3566)

It was discovered that the IPv6 implementation in the Linux kernel
contained a data race condition. An attacker could possibly use this to
cause undesired behaviors. (CVE-2022-3567)

It was discovered that the Realtek RTL8152 USB Ethernet adapter driver in
the Linux kernel did not properly handle certain error conditions. A local
attacker with physical access could plug in a specially crafted USB device
to cause a denial of service (memory exhaustion). (CVE-2022-3594)

It was discovered that a null pointer dereference existed in the NILFS2
file system implementation in the Linux kernel. A local attacker could use
this to cause a denial of service (system crash). (CVE-2022-3621)

Read More

Attackers create 130K fake accounts to abuse limited-time cloud computing resources

Read Time:39 Second

A group of attackers is running a cryptomining operation that leverages the free or trial-based cloud computing resources and platforms offered by several service providers including GitHub,  Heroku, and Togglebox. The operation is highly automated using CI/CD processes and involves the creation of tens of thousands of fake accounts and the use of stolen or fake credit cards to activate time-limited trials.

Researchers from Palo Alto Networks’ Unit 42 have dubbed the group Automated Libra and believe it’s based in South Africa. During the peak of the campaign, dubbed PurpleUrchin, in November, the group was registering between three and five GitHub accounts every minute using automated CAPTCHA defeating processes with the intention to abuse GitHub Actions workflows for mining.

To read this article in full, please click here

Read More