nakedsecurity.sophos.com
Open in
urlscan Pro
2a04:fa87:fffd::c000:42e3
Public Scan
URL:
https://nakedsecurity.sophos.com/2022/08/18/apple-patches-double-zero-day-in-browser-and-kernel-update-now/
Submission: On September 29 via api from US — Scanned from DE
Submission: On September 29 via api from US — Scanned from DE
Form analysis 3 forms found in the DOM
GET https://nakedsecurity.sophos.com/
<form target="_top" role="search" class="search-form" method="get" action="https://nakedsecurity.sophos.com/">
<fieldset>
<div class="field">
<input type="search" value="" name="s" class="search-field" placeholder="Search naked security...">
</div>
<div class="submit">
<button type="submit" class="search-submit button">Go</button>
</div>
</fieldset>
</form>POST
<form onsubmit="return false" method="post" action="" id="newsletter" class="ready" autocomplete="off">
<div class="newsletter-messaging">
<h3 class="newsletter-title success-hide">Get the latest security news in your inbox.</h3>
<div class="state failure">
<div class="icon"></div>
<p>Sorry, something happened and we could not sign you up. Please try again later.</p>
</div>
<div class="state success">
<div class="icon"></div>
<h3>Congratulations, you have successfully signed up for our daily news!</h3>
<p>Check your inbox for our confirmation email.</p>
</div>
<div class="state bademail">
<p>Sorry, we will not accept that email address. Please try a different address.</p>
</div>
<div class="state busy">
<p>We're adding your address to our list...</p>
</div>
</div>
<div class="state ready controls">
<div class="capture"><input type="text" value="you@example.com" class="email virgin" name="email"><input type="submit" value="Subscribe" class="button" name="submit"></div>
</div><button class="close-link">Don't show me this again</button>
</form>POST https://nakedsecurity.sophos.com/wp-comments-post.php
<form action="https://nakedsecurity.sophos.com/wp-comments-post.php" method="post" id="commentform" class="comment-form" novalidate="">
<p class="comment-form-comment"><label for="comment">Comment <span class="required" aria-hidden="true">*</span></label> <textarea id="comment" name="comment" cols="45" rows="8" maxlength="65525" required=""></textarea></p>
<p class="comment-form-author"><label for="author">Name</label> <input id="author" name="author" type="text" value="" size="30" maxlength="245"></p>
<p class="comment-form-email"><label for="email">Email</label> <input id="email" name="email" type="email" value="" size="30" maxlength="100"></p>
<p class="comment-form-url"><label for="url">Website</label> <input id="url" name="url" type="url" value="" size="30" maxlength="200"></p>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="Post Comment"> <input type="hidden" name="comment_post_ID" value="753820" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="9969809377"></p>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="1664482419934">
<script>
document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>Text Content
Skip to content
by
* Products
* Free Tools
* Search
* Free Sophos Home
Go
XG Firewall
Next-Gen Firewall
Intercept X
Next-Gen Endpoint
* Sophos Cloud Optix
* Sophos Central
* Sophos Mobile
* Intercept X for Server
* Secure Wi-Fi
* Phish Threat
* SafeGuard Encryption
* Secure Email
* SG UTM
* Secure Web Gateway
For Home Users
Sophos Home protects every Mac and PC in your home
Learn More
Free Security Tools
Free Trials
Product Demos
Have you listened to our podcast? Listen now
APPLE PATCHES DOUBLE ZERO-DAY IN BROWSER AND KERNEL – UPDATE NOW!
18 Aug 2022 13 Apple, iOS, Malware, OS X, Vulnerability
GET THE LATEST SECURITY NEWS IN YOUR INBOX.
Sorry, something happened and we could not sign you up. Please try again later.
CONGRATULATIONS, YOU HAVE SUCCESSFULLY SIGNED UP FOR OUR DAILY NEWS!
Check your inbox for our confirmation email.
Sorry, we will not accept that email address. Please try a different address.
We're adding your address to our list...
Don't show me this again
POST NAVIGATION
Previous: S3 Ep96: Zoom 0-day, AEPIC leak, Conti reward, healthcare security
[Audio + Text]
Next: Laptop denial-of-service via music: the 1980s R&B song with a CVE!
by Paul Ducklin
*
*
*
*
Apple just pushed out an emergency update for two zero-day bugs that are
apparently actively being exploited.
There’s a remote code execution hole (RCE) dubbed CVE-2022-32893 in Apple’s HTML
rendering software (WebKit), by means of which a booby trapped web page can
trick iPhones, iPads and Macs into running unauthorised and untrusted software
code.
Simply put, a cybercriminal could implant malware on your device even if all you
did was to view an innocent-looking web page.
Remember that WebKit is the part of Apple’s browser engine that sits underneath
absolutely all web rendering software on Apple’s mobile devices.
Macs can run versions of Chrome, Chromium, Edge, Firefox and other “non-Safari”
browsers with alternative HTML and JavaScript engines (Chromium, for example,
uses Blink and V8; Firefox is based on Gecko and SpiderMonkey).
But on iOS and iPadOS, Apple’s App Store rules insist that any software that
offers any sort of web browsing functionality must be based on WebKit, including
browsers such as Chrome, Firefox and Edge that don’t rely on Apple’s browsing
code on any other plaforms where you might use them.
Additionally, any Mac and iDevice apps with popup windows such as Help or About
screens use HTML as their “display language” – a programmatic convenience that
is understandably popular with developers.
Apps that do this almost certainly use Apple’s WebView system functions, and
WebView is based directly on top of WebKit, so it is therefore affected by any
vulnerabilities in WebKit.
The CVE-2022-32893 vulnerability therefore potentially affects many more apps
and system components than just Apple’s own Safari browser, so simply steering
clear of Safari can’t be considered a workaround, even on Macs where non-WebKit
browsers are allowed.
24/7 threat hunting, detection, and response delivered by an expert team as a
fully-managed service.
Learn More
THEN THERE’S A SECOND ZERO-DAY
There’s also a kernel code execution hole dubbed CVE-2022-32894, by which an
attacker who has already gained a basic foothold on your Apple device by
exploiting the abovementioned WebKit bug…
…could jump from controlling just a single app on your device to taking over the
operating system kernel itself, thus acquiring the sort of “admininstrative
superpowers” normally reserved for Apple itself.
This almost certainly means that the attacker could:
* Spy on any and all apps currently running
* Download and start additional apps without going through the App Store
* Access almost all data on the device
* Change system security settings
* Retrieve your location
* Take screenshots
* Use the cameras in the device
* Activate the microphone
* Copy text messages
* Track your browsing…
…and much more.
Apple hasn’t said how these bugs were found (other than to credit “an anonymous
researcher”), hasn’t said where in the world they’ve been exploited, and hasn’t
said who’s using them or for what purpose.
Loosely speaking, however, a working WebKit RCE followed by a working kernel
exploit, as seen here, typically provides all the functionality needed to mount
a device jailbreak (therefore deliberately bypassing almost all Apple-imposed
security restrictions), or to install background spyware and keep you under
comprehensive surveillance.
WHAT TO DO?
Patch at once!
At the time of writing, Apple has published advisories for iPad OS 15 and iOS
15, which both get updated version numbers of 15.6.1, and for macOS Monterey 12,
which gets an updated version number of 12.5.1.
The older supported versions of macOS (Big Sur and Catalina) haven’t yet
received kernel-level patches, so the operating systems themselves haven’t been
updated.
But there’s a standalone Safari update, taking you to Safari 15.6.1, that you
need to get if you’re still running macOS 10 Big Sur or macOS 11 Catalina.
* On your iPhone or iPad: Settings > General > Software Update
* On your Mac: Apple menu > About this Mac > Software Update…
There’s also an update that takes watchOS to version 8.7.1, but that update
doesn’t list any CVE numbers, and doesn’t have a security advisory of its own.
There’s no word yest on whether tvOS is immune, or is vulnerable but has not yet
been patched.
For further information, watch this space, and keep your eyes on Apple’s
official Security Bulletin portal page, HT201222.
* Follow @NakedSecurity on Twitter for the latest computer security news.
* Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids and LOLs!
FREE TOOLS
SOPHOS FIREWALL HOME EDITION
Boost your home network security.
SOPHOS SCAN & CLEAN
Free second-opinion scanner for PCs.
SOPHOS CLOUD OPTIX
Monitor 25 cloud assets for free.
POST NAVIGATION
Previous: S3 Ep96: Zoom 0-day, AEPIC leak, Conti reward, healthcare security
[Audio + Text]
Next: Laptop denial-of-service via music: the 1980s R&B song with a CVE!
13 COMMENTS ON “APPLE PATCHES DOUBLE ZERO-DAY IN BROWSER AND KERNEL – UPDATE
NOW!”
1. Samuel says:
August 18, 2022 at 4:42 am
Error on article
latest update MacOS 12.5.2
Revision – 12.5.1
0
0
i
Rate This
Reply
* Paul Ducklin says:
August 18, 2022 at 2:07 pm
Fixed, thanks.
2
0
i
Rate This
Reply
2. Bazza says:
August 18, 2022 at 10:08 am
CVE-20220-32893
should be:
CVE-2022-32893
Though. that’s pretty handy for SEO to see who’s using your post 😉
[at}mcbazza
3
0
i
Rate This
Reply
* Paul Ducklin says:
August 18, 2022 at 2:08 pm
It was a typo, not a tracking trick :-)
Fixed, thanks.
2
0
i
Rate This
Reply
3. Al says:
August 19, 2022 at 4:37 am
watchOS update is for series 3 only.
1
0
i
Rate This
Reply
4. Nick says:
August 19, 2022 at 5:58 am
What about iOS 16 beta, affected too?
0
0
i
Rate This
Reply
* Paul Ducklin says:
August 19, 2022 at 10:38 am
Who can say? (Keep checking for updates is my recommendation! Beta
products don’t seem to get Security Advisories via the normal channel,
i.e. HT201222.)
2
0
i
Rate This
Reply
5. Rob says:
August 19, 2022 at 1:19 pm
It would be shocking if iOS/iPadOS16 needed patching as well but they didn’t
bother. I can’t see any updates on beta on my iPad so I’m hoping that means
they don’t need to.
0
0
i
Rate This
Reply
6. Susan says:
August 19, 2022 at 8:35 pm
How would a user know if the exploits had both been executed on their phone?
2
0
i
Rate This
Reply
* Paul Ducklin says:
August 19, 2022 at 9:28 pm
The problem is…
…that it’s almost impossible to say. Apple’s security advisories don’t
provide any details that might give anything away, so although there might
be obvious signs or anomalies to look out for, [a] you don’t know for sure
what they are and [b] they might not be obvious enough for you to find
them independently without some reliable and official hints on where to
start.
If you genuinely think that you might have been targeted by this pair of
bugs, then all I can suggest is that you read up on how to do an official
Apple DFU (device firmware update), which basically wipes the device and
reinstalls the entire operating system from scratch. You use a special
sequence of button-presses to enter DFU mode; you need to tether the phone
to a trusted laptop via a USB cable; and the process will *remove all
apps, settings and data currently installed*, so you basically have to set
up your phone all over again, as if you just bought it new.
(I have had two Apple phones now, and I did a DFU myself each time after
getting back from the shop with my new purchase. Because I could. It adds
a fair chunk of time, but most of that is just sitting around waiting for
the firmware image to download and get copied across.)
If we assume that this bug pair relates to some sort of “commercial
spyware” toolkit typically bought and used by governments, then the good
news is that the exploits probably haven’t been used widely (to try to
keep them off the radar and thus to extend their shelf life), but the bad
news is that they probably work well if deployed (governments don’t like
spending big money on high-end exploits only to find they’re a flop).
If we come up with any tips or tricks that reliably indicate that these
hacks have been deployed on a device, we’ll update the article.
In the meantime, I suggest: patch ASAP, and then read up on DFU if you
really are worried that you were one of the targets.
IIRC, a DFU will automatically (and only) install the very latest
firmware, so doing a DFU will essentially wipe-and-patch at the same time.
Don’t forget, though, that a DFU will obliterate any 2FA code-generator
sequences you’ve set up on your device, so make sure you have a secure way
to get back in to any important accounts, just as you would have to do if
you lost your phone or damaged it beyond repair.
3
0
i
Rate This
Reply
7. Anonymous says:
August 20, 2022 at 8:17 am
Would be good if Apple patched older iOS versions too, otherwise this leads
to the question whether iPhones and Macs have become expensive short
lifespan purchases.
0
0
i
Rate This
Reply
* Paul Ducklin says:
August 20, 2022 at 10:28 am
Apple doesn’t support any older versions of iOS at the moment. Only the
very latest iOS (15) gets updates.
If you have a phone that can be upgraded to iOS 15, then that is your path
forward. If you have an older model that can’t, then you are sunk. Either
you have to keep on using it with no more updates ever (because iPhones
are locked down to prevent you patching them yourself or installing an
alternative operating system), or send them for recycling.
Mac users current have slightly more choice, depending on the age of their
product, with macOS 12 (Monterey, the latest version), macOS 11 (Catalina)
and macOS 10 (Big Sur) all getting updates.
(If Apple follows its usual pattern then Big Sur will get dropped when the
next macOS comes out.)
1
0
i
Rate This
Reply
8. Ishwar Singh Parihar says:
August 26, 2022 at 4:30 pm
This is great news! I always update my software as soon as new patches are
released.
0
0
i
Rate This
Reply
WHAT DO YOU THINK? CANCEL REPLY
Comment *
Name
Email
Website
Δ
RECOMMENDED READS
Sep24
by Paul Ducklin
7
UBER AND ROCKSTAR – HAS A LAPSUS$ LINCHPIN JUST BEEN BUSTED (AGAIN)?
Aug05
by Paul Ducklin
1
TRAFFIC LIGHT PROTOCOL FOR CYBERSECURITY RESPONDERS GETS A REVAMP
Jul07
by Paul Ducklin
0
S3 EP90: CHROME 0-DAY, CYBERCRIME, 2FA BYPASS [AUDIO + TEXT]
* About Naked Security
* About Sophos
* Send us a tip
* Cookies
* Privacy
* Legal
* Intercept X
* Intercept X for Server
* Intercept X for Mobile
* XG Firewall
* Sophos Email
* Sophos Wireless
* Managed Threat Response
* Cloud Optix
* Phish Threat
*
*
*
*
*
© 1997 - 2022 Sophos Ltd. All rights reserved. Powered by WordPress VIP