Apple Users Beware: Multiple Vulnerabilities in Mac Desktop, iPhone, iPod and Apple Watch Products | Ron Benvenisti

Multiple Vulnerabilities in Apple Products


Overview

Coming on the heels of the recent Bluetooth Suri spying vulnerability, multiple new vulnerabilities have been discovered in Apple Products. Successful exploitation of the most severe of these vulnerabilities could allow for execution and compromise of applications of the logged on user across the gamut of Apple devices. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.


Systems Affected

      • Safari versions prior to 16.1
      • iOS versions prior to 16.1, for iPadOS 16 and later, for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later
      • macOS Big Sur versions prior to 11.7.1
      • macOS Monterey versions prior to 12.6.1
      • macOS Ventura versions prior to 13
      • tvOS versions prior to 16.1
      • watchOS versions prior to 9.1

Risk


Government:

      • Large and medium government entities: High
      • Small government entities: Medium


Many municipal (small?) agencies are under attack for other problems (I’m avoiding being technical, but as far as “small”, it’s huge to us). Radio, dispatch, computer, server, network connections and more have been increasingly attacked, blacking-out many emergency communication, connections to the crime resource databases. This is a must, especially during traffic stops and probable cause or suspicious activity response. The law enforcement on the scene would have no idea who they’re dealing with. No access to prior criminal activity. MVC. You get the idea. Chaos. Danger. Defunded Police have to spend on this. By yesterday.

The agent on scene is in a total conundrum. With fake woke laws, restrictions and mandates in place (like catch and bondless release). What if they act in a way that be interpreted as something that could be “illegal” and lose his extraordinarily stressful job. A person who committed their life to protect and serve others. I didn’t mention the Sheriff, Prosecutor, Fire, EMS. What if the summoned, arrested person is back in the streets, mentally disturbed with a vengeful attitude or… you get the picture.



Businesses:

      • Large medium business entities: High
      • Small business entities: Medium
      • Home Users: Low

One must bear in mind that the risk score can change even as you read this article or don’t. The proper and most secure posture is to believe:
“When and not if.”


Recommendations:

  • Apply the Apple stable channel update (I say that alot, provided by Apple to vulnerable systems immediately. (See links below)
  • Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Limit the permissions on your apps.
  • TLS readers should already be restricting the use of certain websites, blocking downloads/attachments, block Javascript, restricting browser extensions, etc. 
  • Use your resource’s capabilities (or get someone competent) to detect and block conditions that may lead to or be indicative of a software exploit occurring.
  • As noted recently here on TLS, train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spear phishing, social engineering, and other techniques that involve user interaction.

Remediation

software patch available from Apple remediating recent flaws and certain aspects of this flaw is currently available for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later. It has also been resolved in all supported versions of macOS.

The iOS 16.1 update, which was released on October 24, 2022, comes with fixes for a total of 20 flaws, including a Kernel vulnerability (CVE-2022-42827) that it disclosed as being actively exploited in the wild.


References From Apple:
​​​​https://support.apple.com/en-us/HT213495
https://support.apple.com/en-us/HT213489
https://support.apple.com/en-us/HT213493
https://support.apple.com/en-us/HT213494
https://support.apple.com/en-us/HT213488
https://support.apple.com/en-us/HT213492
https://support.apple.com/en-us/HT213491


This article may contain commentary by the author.

Ron Benvenisti (10-27) Computer security pioneer (heard but not nerd) since 1987.

 

This content, and any other content on TLS, may not be republished or reproduced without prior permission from TLS. Copying or reproducing our content is both against the law and against Halacha. To inquire about using our content, including videos or photos, email us at [email protected].

Stay up to date with our news alerts by following us on Twitter, Instagram and Facebook.

**Click here to join over 20,000 receiving our Whatsapp Status updates!**

**Click here to join the official TLS WhatsApp Community!**

Got a news tip? Email us at [email protected], Text 415-857-2667, or WhatsApp 609-661-8668.

7 COMMENTS

  1. As an Apple user, I set my tech for automatic updates. I get noticed about the updates performed once completed.

    I’m wondering why a computer guru such as Mr. B isn’t aware of this option?

  2. “Mr. B” restored all my recorded shiurim on my phone and locked down my credit card. (It was hacked). He refused to take a dime. He told me to put whatever I want in Tzedakah.

Comments are closed.