Apple released macOS Ventura 13 and iOS 16.1 on Monday. In addition to the new features, it also fixed hundreds of vulnerabilities, including an iOS zero-day vulnerability.
Apple released macOS Ventura 13 and iOS 16.1 on Monday. In addition to the new features, it also fixed hundreds of vulnerabilities, including an iOS zero-day vulnerability.
macOS 13 Ventura fixes up to 112 vulnerabilities, including those in the operating system itself, as well as those affecting third-party components. These vulnerabilities can lead to arbitrary code execution, information disclosure, denial of service (DoS) attacks, file system modifications, security bypasses, and privilege escalation. Many of these require malicious apps to be installed on the target device, while some require the attacker to actually gain access to the device or execute malicious files.
Apple also released macOS Big Sur 11.7.1 and Monterey 12.6.1 updates on Monday, fixing three vulnerabilities that Ventura also fixed. This means that the Ventura installation will do all the patching work.
Additionally, Apple also released iOS 16.1, fixing at least 20 vulnerabilities, including core vulnerabilities that have already been attacked. Apple has confirmed that there has been “active” activity against CVE-2022-42827 on the Internet and that apps can take advantage of core permissions to execute arbitrary code on iPhone and iPad users.
CVE-2022-42827 is an out of bounds write vulnerability reported by an anonymous researcher. iOS 16.1 addressed this vulnerability with advanced boundary checking.
As usual, however, Apple has not released details of the attack, nor provided an indicator of compromise (IOC) or other data that users can use to identify an infection.
So far, at least eight zero-day bugs have appeared on Apple’s iOS devices, leaving the company’s security response team struggling to fix the flaws.
iOS 16.1 also fixes at least four other vulnerabilities that could lead to malicious code execution, including CVE-2022-42813 affecting CFNetwork, CVE-2022-42808 affecting iOS Core, CVE-2022-42823 affecting WebKit, and CVE- 2022-42823 which affects WebKit CVE-2022-32922 for PDF.
Additionally, iOS 16.1 also fixes vulnerabilities in AppleMobileFileIntegrity, AVEVideoEncoder, Core Bluetooth, GPU driver, IOHIDFamily, Sandbox and Shortcuts components.
source:Security Week
