Multiple Vulnerabilities in Apple Products
Overview
Coming on the heels of the recent Bluetooth Suri spying vulnerability, multiple new vulnerabilities have been discovered in Apple Products. Successful exploitation of the most severe of these vulnerabilities could allow for execution and compromise of applications of the logged on user across the gamut of Apple devices. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Systems Affected
-
-
- Safari versions prior to 16.1
- iOS versions prior to 16.1, for iPadOS 16 and later, for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later
- macOS Big Sur versions prior to 11.7.1
- macOS Monterey versions prior to 12.6.1
- macOS Ventura versions prior to 13
- tvOS versions prior to 16.1
- watchOS versions prior to 9.1
-
Risk
Government:
-
-
- Large and medium government entities: High
- Small government entities: Medium
-
Many municipal (small?) agencies are under attack for other problems (I’m avoiding being technical, but as far as “small”, it’s huge to us). Radio, dispatch, computer, server, network connections and more have been increasingly attacked, blacking-out many emergency communication, connections to the crime resource databases. This is a must, especially during traffic stops and probable cause or suspicious activity response. The law enforcement on the scene would have no idea who they’re dealing with. No access to prior criminal activity. MVC. You get the idea. Chaos. Danger. Defunded Police have to spend on this. By yesterday.
The agent on scene is in a total conundrum. With fake woke laws, restrictions and mandates in place (like catch and bondless release). What if they act in a way that be interpreted as something that could be “illegal” and lose his extraordinarily stressful job. A person who committed their life to protect and serve others. I didn’t mention the Sheriff, Prosecutor, Fire, EMS. What if the summoned, arrested person is back in the streets, mentally disturbed with a vengeful attitude or… you get the picture.
Businesses:
-
-
- Large medium business entities: High
- Small business entities: Medium
- Home Users: Low
-
One must bear in mind that the risk score can change even as you read this article or don’t. The proper and most secure posture is to believe:
“When and not if.”
Recommendations:
- Apply the Apple stable channel update (I say that alot, provided by Apple to vulnerable systems immediately. (See links below)
- Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Limit the permissions on your apps.
- TLS readers should already be restricting the use of certain websites, blocking downloads/attachments, block Javascript, restricting browser extensions, etc.
- Use your resource’s capabilities (or get someone competent) to detect and block conditions that may lead to or be indicative of a software exploit occurring.
- As noted recently here on TLS, train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spear phishing, social engineering, and other techniques that involve user interaction.
Remediation
A software patch available from Apple remediating recent flaws and certain aspects of this flaw is currently available for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later. It has also been resolved in all supported versions of macOS.
The iOS 16.1 update, which was released on October 24, 2022, comes with fixes for a total of 20 flaws, including a Kernel vulnerability (CVE-2022-42827) that it disclosed as being actively exploited in the wild.
References From Apple:
https://support.apple.com/en-us/HT213495
https://support.apple.com/en-us/HT213489
https://support.apple.com/en-us/HT213493
https://support.apple.com/en-us/HT213494
https://support.apple.com/en-us/HT213488
https://support.apple.com/en-us/HT213492
https://support.apple.com/en-us/HT213491
This article may contain commentary by the author.
Ron Benvenisti (10-27) Computer security pioneer (heard but not nerd) since 1987.
Hard to take this article seriously when the author calls the Apple Watch an “iWatch” in the headline.
As an Apple user, I set my tech for automatic updates. I get noticed about the updates performed once completed.
I’m wondering why a computer guru such as Mr. B isn’t aware of this option?
Not everyone is as savvy as you! I’m the one who gets the calls!
That’s why I included the official Apple links above.
It’s not rocket science Ron. Don’t make it out to be something complicated when it really isn’t. Most of your alerts about Apple products come a week or so after the patches have been issued.
I changed it from Apple Watch by mistake. I don’t use Apple products, but you get the idea? If you don’t want to take it seriously, I wish you the best of luck.
“Mr. B” restored all my recorded shiurim on my phone and locked down my credit card. (It was hacked). He refused to take a dime. He told me to put whatever I want in Tzedakah.