Apple released macOS Ventura 13 and iOS 16.1 on Monday. In addition to new features, it also patched hundreds of vulnerabilities, including an iOS zero-day vulnerability.
Apple released macOS Ventura 13 and iOS 16.1 on Monday. In addition to new features, it also patched hundreds of vulnerabilities, including an iOS zero-day vulnerability.
macOS 13 Ventura fixes up to 112 vulnerabilities, including those in the OS itself, as well as those affecting third-party components. These vulnerabilities can lead to arbitrary code execution, information disclosure, denial of service (DoS) attacks, file system modifications, security bypasses, and privilege escalation. Many of these require malicious apps to be installed on the target device, while some require the attacker to actually gain access to the device, or execute malicious files.
Apple also released macOS Big Sur 11.7.1 and Monterey 12.6.1 updates on Monday, patching three vulnerabilities that Ventura also patched. That means installing Ventura will do all the patching work.
In addition, Apple also released iOS 16.1, patching at least 20 vulnerabilities, including core vulnerabilities that have been attacked. Apple confirmed that there has been “active” activity against CVE-2022-42827 on the Internet, and that apps may exploit core permissions to execute arbitrary code on iPhone and iPad users.
CVE-2022-42827 is an out-of-bounds write vulnerability reported by an anonymous researcher. iOS 16.1 has addressed this vulnerability with enhanced bounds checking.
As usual, however, Apple has not released details of the attack, or provided an indicator of compromise (IOC), or other data that users can use to identify an infection.
So far, at least eight zero-day bugs have appeared on Apple’s iOS devices, leaving the company’s security response team struggling to patch the flaws.
iOS 16.1 additionally fixes at least four other vulnerabilities that could lead to malicious code execution, including CVE-2022-42813 affecting CFNetwork, CVE-2022-42808 affecting iOS Core, CVE-2022-42823 affecting WebKit, and CVE-2022-42823 affecting WebKit CVE-2022-32922 for PDF.
Additionally, iOS 16.1 also fixes vulnerabilities in AppleMobileFileIntegrity, AVEVideoEncoder, Core Bluetooth, GPU driver, IOHIDFamily, Sandbox, and Shortcuts components.
source:SecurityWeek