Apple has released a series of security updates to its iOS 16.1 and iPadOS 16 mobile operating systems (OSes), targeting 20 newly discovered vulnerabilities, including one actively exploited zero-day.
Tracked as CVE-2022-42827, and credited to an anonymous researcher, the vulnerability affects iPhone 8 and later, all models of iPad Pro, iPad Air 3rd generation and later, iPad 5th generation and later, and iPad Mini 5th generation and later.
It is an out-of-bounds write issue by which an application may be able to execute arbitrary code with kernel privileges.
Vulnerabilities affecting device kernels are particularly dangerous because of how essential the kernel is to the running of any computer OS – essentially, it’s the layer sitting between the OS itself and the underlying hardware, where it provides an interface for users and applications to interact with the device, launches and manages applications, and manages the system hardware.
As such, if a malicious actor finds they are able to access the kernel, they can pretty much take full control of the target device. Therefore, the update should be prioritised by organisations running substantial Apple estates.
Consumer users, meanwhile, can check their update status by going to Settings – General – Software Update on an iPhone or iPad, bearing in mind that their devices may be set up to take such updates automatically.
Apple did not release further details on how the bug is being exploited, or provide any indicators of compromise (IoCs), which is standard practice at Cupertino.
The other issues fixed in Apple’s latest barebones security advisory are:
- CVE-2022-42835 in AppleMobileFileIntegrity;
- CVE-2022-32940 in AVEVideoEncoder;
- CVE-2022-42813 in CFNetwork;
- CVE-2022-32946 in Core Bluetooth;
- CVE-2022-32947 in GPU Drivers;
- CVE-2022-42820 in IOHIDFamily;
- CVE-2022-42806 in IOKit;
- CVE-2022-32924 and CVE-2022-42808 in device kernels;
- CVE-2022-42829, CVE-2022-42830, CVE-2022-42831 and CVE-2022-42832 in ppp;
- CVE-2022-42811 in Sandbox;
- CVE-2022-32938 in Shortcuts;
- CVE-2022-42799, CVE-2022-42828 and CVE-2022-42824 in WebKit;
- And CVE-2022-32922 in WebKit PDF.
Many of these vulnerabilities could also lead to arbitrary code execution on the victim device, which in simple terms typically means a threat actor can run any command they choose on the compromised system.
For example, they could trigger code already present, or more usually, load their own code – that is to say, malware – on the device and run it, with all the subsequent issues – such as data exfiltration and ransom extortion – that entails.