The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.
Apple is typically known for its minimal design, user-friendly UI, and hardware. But, the success of their products, especially iPhones, has long relied upon timely cybersecurity updates and their effectiveness. The prolonged support that they promise to their devices, in addition to hardware, also revolves around the OS and security updates.
That’s why you may still see security updates for older devices that aren’t upgradable to iOS 16 still being released. We’ll talk about a few latest security updates that have recently surfaced because of known and unknown vulnerabilities.
However, as a user, you may like to know how these updates are prioritized and why you should update your devices regularly.
Every vulnerability that has been detected gets ranked by a Common Vulnerability Scoring System (CVSS) and is denoted by a CVE serial number (CVE-Year-XXXXXX) that is used to track its status. For example, the log4j vulnerability, which impacted millions of systems worldwide, was ranked 10 out of 10. The updates are prioritized and released depending on that score.
iOS 15.7.2 security update
The major security updates of iOS 15.7.2 are discussed below.
AppleAVD (Malicious Video File)
With a CVSS score of 7.8 and regarded as a high risk, AppleAVD vulnerability (CVE-2022-46694) increases the potential risk of a malicious video file writing out-of-bound and executing kernel code. Although user interaction is required for the vulnerability to be efficacious, risky downloaded videos may present issues with privacy and cybersecurity with this. The vulnerability was patched with improved input validation.
AVEVideoEncoder (Kernel Privileges)
Like AppleAVD, AVEVideoEncoder vulnerability (CVE-2022-42848) also has a 7.8 CVSS score. However, the difference between these two is the AVEVideoEncoder vulnerability is related to an app that can access kernel privileges through user interaction and execute arbitrary code to jeopardize user security. The issue was fixed with improved checks.
File System (Sandbox Issue)
In cybersecurity, sandbox defines a virtually isolated environment to run, observe, and analyze code. Typically, sandboxing is facilitated to imitate user interaction without involving active users. However, in complex operating systems like iOS, each app is caged in its own sandbox to limit its activity. The File System Vulnerability (CVE-2022-426861) revolves around malicious apps breaking out of the sandbox and executing kernel code. As it doesn’t require user interaction to act maliciously, it has a very high CVSS rating of 8.8. The issue was patched with improved checks. This vulnerability is one of the most critical reasons why you should stay updated with the latest iPhone releases.
Graphics Driver (Malicious Video File, System Termination)
With a medium CVSS rating of 5.5, the CVE-2022-42846 Graphics Driver vulnerability is capable of terminating systems through buffer overflow with malicious video files crafted for that particular purpose. Although user interaction is required, the impact of such attacks has severe implications on user experience and integrity. The issue was patched in the security update 15.7.2 with improved memory handling.
libxml2
libXML2 is generally used for parsing XML documents that transport text files containing structured data. This particular vulnerability with libxml2 (CVE-2022-40304) is assigned a CVSS base score of 7.8 and is capable of corrupting a hash table key—ultimately leading to logic errors—making the programs behave arbitrarily. This issue had occurred due to an integer overflow and was mitigated through improved input validation.
WebKit (Processing Malicious Web Content)
Websites without security certifications and compliances often contain malicious codes that may lead to cybersecurity issues. As these malicious actors do their best to hide the fact, this particular WebKit issue (CVE-2022-46691) comes with a CVSS score of 8.8 and is considered a direct threat to the security of iPhones and iPads. This was patched in the latest update through improved memory handling.
iOS 16.2 security update
Most of the updates mentioned in the 15.7.2 update are also present in the 16.2 security patch released on 13th December 2022 for devices like the Apple iPhone 14 Plus. We won’t be discussing them again unless there is a major difference present in how the vulnerability was patched.
Accounts (Unauthorized User Access)
The CVE-2022-42843 vulnerability, AKA Accounts, is a 5.5-grade low-level issue that has been patched in the 16.2 security update. The issue mainly revolves around users viewing sensitive information of other users. While it has a high confidentiality impact, it doesn’t particularly affect the integrity of the apps or the database. The issue was fixed through improved data protection measures.
AppleMobileFileIntegrity (Bypass Privacy Preferences)
Privacy is considered paramount for iPhones. Although still a medium risk (5.5) vulnerability, the AppleMobileFileIntegrity issue (CVE-2022-42865) was prioritized in the recent updates due to apps using this to bypass privacy preferences and breach user confidentiality. This issue was fixed by enabling hardened runtime that prevents code injection, process memory tampering, and DLL hijacking.
CoreServices (Removal of Vulnerable Code)
Owing to the close nature of Apple, the CoreServices update (CVE-2022-42859) doesn’t specify any major changes that were made to the codes, but it promises to have removed a piece of vulnerable code that could enable an app to bypass privacy preferences to jeopardize confidentiality. The CVSS score is a medium 5.5 for this update.
GPU Drivers (Disclose Kernel Memory)
An issue with the GPU drivers in the CVE-2022-46702 vulnerability was detected for a malicious app to be able to disclose kernel memory. Kernel memory is strictly local memory loaded in the physical device's RAM. As user interaction is required for the app to act maliciously, a medium 5.5 CVSS score was given. The issue was fixed to better memory handling.
ImageIO (Arbitrary Code Execution)
Mostly related to iCloud, but also seen in iOS itself, ImageIO issue with CVE-2022-46693 was detected to empower malicious files to execute arbitrary code. It was given a high CVSS score of 7.8 due to the arbitrary nature of the vulnerability. However, it requires user interaction, like locating and downloading that file(s). This out-of-bound issue was mitigated through improved input validation.
The bottom line
As you may already have understood, these updates are critical for your device to function securely and keep you safe from identity thefts and literal monetary risks. As these vulnerabilities are often made public for development purposes, malicious criminals often try to target devices that are yet to be updated. Therefore, you shouldn’t wait even a single day to install them.
Article Link: Why update your iPhone? | AT&T Cybersecurity