iOS 15.3 patches 10 major security flaws affecting Safari, root privileges, and more


    Along with Apple’s software updates today for iPhone, iPad, Mac, Apple Watch, and more, a variety of security issues have been fixed. iOS 15.3 specifically patches 10 notable security bugs ranging from the Safari web browsing leak to a flaw that can give malicious apps root privileges, and more.

    We knew about the web browsing and Google account ID flaw being patched ahead of time as it arrived with the RC versions of iOS 15.3 and macOS 12.2 However, Apple has now detailed the full list of security patches with documentation showing up for iOS 15.3, watchOS 8.4, and more.

    macOS 12.2 may include the same fixes, but Apple hasn’t published the security update for that just yet.

    Beyond the Safari web browsing flaw, others security issues patched include apps gaining root privileges, the ability to execute arbitrary code with kernel privileges, accessing user files through an iCloud bug, and more.

    Here are the 10 flaws fixed in iOS 15.3 per Apple:


    ColorSync

    Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

    Impact: Processing a maliciously crafted file may lead to arbitrary code execution

    Description: A memory corruption issue was addressed with improved validation.

    CVE-2022-22584: Mickey Jin (@patch1t) of Trend Micro

    Crash Reporter

    Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

    Impact: A malicious application may be able to gain root privileges

    Description: A logic issue was addressed with improved validation.

    CVE-2022-22578: an anonymous researcher

    iCloud

    Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

    Impact: An application may be able to access a user’s files

    Description: An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization.

    CVE-2022-22585: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (https://xlab.tencent.com)

    IOMobileFrameBuffer

    Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

    Impact: A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

    Description: A memory corruption issue was addressed with improved input validation.

    CVE-2022-22587: an anonymous researcher, Meysam Firouzi (@R00tkitSMM) of MBition – Mercedes-Benz Innovation Lab, Siddharth Aeri (@b1n4r1b01)

    Kernel

    Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

    Impact: A malicious application may be able to execute arbitrary code with kernel privileges

    Description: A buffer overflow issue was addressed with improved memory handling.

    CVE-2022-22593: Peter Nguyễn Vũ Hoàng of STAR Labs

    Model I/O

    Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

    Impact: Processing a maliciously crafted STL file may lead to unexpected application termination or arbitrary code execution

    Description: An information disclosure issue was addressed with improved state management.

    CVE-2022-22579: Mickey Jin (@patch1t) of Trend Micro

    WebKit

    Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

    Impact: Processing a maliciously crafted mail message may lead to running arbitrary javascript

    Description: A validation issue was addressed with improved input sanitization.

    CVE-2022-22589: Heige of KnownSec 404 Team (knownsec.com) and Bo Qu of Palo Alto Networks (paloaltonetworks.com)

    WebKit

    Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

    Impact: Processing maliciously crafted web content may lead to arbitrary code execution

    Description: A use after free issue was addressed with improved memory management.

    CVE-2022-22590: Toan Pham from Team Orca of Sea Security (security.sea.com)

    WebKit

    Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

    Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced

    Description: A logic issue was addressed with improved state management.

    CVE-2022-22592: Prakash (@1lastBr3ath)

    WebKit Storage

    Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

    Impact: A website may be able to track sensitive user information

    Description: A cross-origin issue in the IndexDB API was addressed with improved input validation.

    CVE-2022-22594: Martin Bajanik of FingerprintJS

    Additional recognition

    WebKit

    We would like to acknowledge Prakash (@1lastBr3ath) for their assistance.

    FTC: We use income earning auto affiliate links. More.


    Check out 9to5Mac on YouTube for more Apple news:



    Source link