Apple has released fixes addressing 37 software vulnerabilities in its operating systems iOS, iPadOS, macOS, tvOS, and watchOS. The flaws affect different parts of iOS and macOS and could be used for escalation of privilege, arbitrary code execution, information disclosure and denial-of-service attack scenarios.
One of the more serious issues includes CVE-2022-2294 – a memory corruption vulnerability in the WebRTC component recently disclosed by Google. The flaw had been used in the wild against Chrome users. Fortunately, no evidence exists that the flaw was used against Apple’s Safari browser.
Other vulnerabilities Apple fixed include a Pointer Authentication bypass issue in the kernel known as CVE-2022-32844, a denial-of-service flaw in the ImageIO component known as CVE-2022-32785, and two privilege escalation bugs in AppleMobileFileIntegrity and File System Events, respectively CVE-2022-32819 and CVE-2022-32826.
Some other vulnerabilities include the following:
- CVE-2022-32810, CVE-2022-32829, and CVE-2022-32840 – arbitrary code execution in Apple Neural Engine;
- CVE-2022-32832 in APFS – An app with root privileges may be able to execute arbitrary code with kernel privileges;
- CVE-2022-32797, CVE-2022-32853, CVE-2022-32851, CVE-2022-32831 in Apple Script – Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory;
- CVE-2022-32820 in Audio – An app may be able to execute arbitrary code with kernel privileges.
It should also be mentioned that the latest macOS version fixed five security vulnerabilities in the SMB module. These could be utilized for elevation of privileges, information disclosure, and arbitrary code execution with kernel privileges.
Apple recommends updating your devices to the following versions: iOS 15.6, iPadOS 15.6, macOS (Monterey 12.5, Big Sur 11.6.8, and 2022-005 Catalina), tvOS 15.6, and watchOS 8.7.
It is also worth mentioning that in June, Apple released a report dedicated to its App Store, revealing that the company protected its customers from losing approximately $1.5 billion in fraudulent transactions. Altogether, Apple stopped more than 1.6 million suspicious apps and app updates from affecting its users.