Multiple Vulnerabilities in Apple Products
Coming on the heels of the recent Bluetooth Suri spying vulnerability, multiple new vulnerabilities have been discovered in Apple Products. Successful exploitation of the most severe of these vulnerabilities could allow for execution and compromise of applications of the logged on user across the gamut of Apple devices. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
- Safari versions prior to 16.1
- iOS versions prior to 16.1, for iPadOS 16 and later, for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later
- macOS Big Sur versions prior to 11.7.1
- macOS Monterey versions prior to 12.6.1
- macOS Ventura versions prior to 13
- tvOS versions prior to 16.1
- watchOS versions prior to 9.1
- Large and medium government entities: High
- Small government entities: Medium
Many municipal (small?) agencies are under attack for other problems (I’m avoiding being technical, but as far as “small”, it’s huge to us). Radio, dispatch, computer, server, network connections and more have been increasingly attacked, blacking-out many emergency communication, connections to the crime resource databases. This is a must, especially during traffic stops and probable cause or suspicious activity response. The law enforcement on the scene would have no idea who they’re dealing with. No access to prior criminal activity. MVC. You get the idea. Chaos. Danger. Defunded Police have to spend on this. By yesterday.
The agent on scene is in a total conundrum. With fake woke laws, restrictions and mandates in place (like catch and bondless release). What if they act in a way that be interpreted as something that could be “illegal” and lose his extraordinarily stressful job. A person who committed their life to protect and serve others. I didn’t mention the Sheriff, Prosecutor, Fire, EMS. What if the summoned, arrested person is back in the streets, mentally disturbed with a vengeful attitude or… you get the picture.
- Large medium business entities: High
- Small business entities: Medium
- Home Users: Low
One must bear in mind that the risk score can change even as you read this article or don’t. The proper and most secure posture is to believe:
“When and not if.”
- Apply the Apple stable channel update (I say that alot, provided by Apple to vulnerable systems immediately. (See links below)
- Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Limit the permissions on your apps.
- Use your resource’s capabilities (or get someone competent) to detect and block conditions that may lead to or be indicative of a software exploit occurring.
- As noted recently here on TLS, train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spear phishing, social engineering, and other techniques that involve user interaction.
A software patch available from Apple remediating recent flaws and certain aspects of this flaw is currently available for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later. It has also been resolved in all supported versions of macOS.
The iOS 16.1 update, which was released on October 24, 2022, comes with fixes for a total of 20 flaws, including a Kernel vulnerability (CVE-2022-42827) that it disclosed as being actively exploited in the wild.
References From Apple:
This article may contain commentary by the author.
Ron Benvenisti (10-27) Computer security pioneer (heard but not nerd) since 1987.