Apple patch-uri dublu zero-day în browser și kernel – actualizați acum!

Apple just pushed out an emergency update for two zero-day bugs that are apparently actively being exploited.

There’s a remote code execution hole (RCE) dubbed CVE-20220-32893 in Apple’s HTML rendering software (WebKit), by means of which a booby trapped web page can trick iPhones, iPads and Macs into running unauthorised and untrusted software code.

Simply put, a cybercriminal could implant malware on your device even if all you did was to view an otherwise innocent web page.

Remember that WebKit is the part of Apple’s browser engine that sits underneath absolutely all web rendering software on Apple’s mobile devices.

Macs can run versions of Chrome, Chromium, Edge, Firefox and other “non-Safari” browsers with alternative HTML and JavaScript engines (Chromium, for example, uses Clipi din ochi și V8; Firefox is based on Gecko și Rinocer).

But on iOS and iPadOS, Apple’s App Store rules insist that any software that offers any sort of web browsing functionality must be based on WebKit, including browsers such as Chrome, Firefox and Edge that don’t rely on Apple’s browsing code on any other plaforms where you might use them.

Additionally, any Mac and iDevice apps with popup windows such as Ajutor or Despre Noi screens use HTML as their “display language” – a programmatic convenience that is understandably popular with developers.

Apps that do this almost certainly use Apple’s vizualizare web system functions, and WebView is based directly on top of WebKit, so it is therefore affected by any vulnerabilities in WebKit.

CVE-2022-32893 vulnerability therefore potentially affects many more apps and system components than just Apple’s own Safari browser, so simply steering clear of Safari can’t be considered a workaround, even on Macs where non-WebKit browsers are allowed.

Then there’s a second zero-day

There’s also a kernel code execution hole dubbed CVE-2022-32894, by which an attacker who has already gained a basic foothold on your Apple device by exploiting the abovementioned WebKit bug…

…could jump from controlling just a single app on your device to taking over the operating system kernel itself, thus acquiring the sort of “admininstrative superpowers” normally reserved for Apple itself.

This almost certainly means that the attacker could:

• Spy on any and all apps currently running
• Download and start additional apps without going through the App Store
• Access almost all data on the device
• Change system security settings
• Retrieve your location
• Faceți capturi de ecran
• Use the cameras in the device
• Activați microfonul
• Copy text messages
• Track your browsing…

…și mult mai mult.

Apple hasn’t said how these bugs were found (other than to credit „un cercetător anonim”), hasn’t said where in the world they’ve been exploited, and hasn’t said who’s using them or for what purpose.

Loosely speaking, however, a working WebKit RCE followed by a working kernel exploit, as seen here, typically provides all the functionality needed to mount a device jailbreak (therefore deliberately bypassing almost all Apple-imposed security restrictions), or to install background spyware and keep you under comprehensive surveillance.

Ce să fac?

Patch at once!

At the time of writing, Apple has published advisories for iPad OS 15 and iOS 15, which both get updated version numbers of 15.6.1, Și pentru macOS Monterey 12, which gets an updated version number of 12.5.2.

• Pe iPhone sau iPad: setări cont > General > Actualizare de software
• Pe Mac: Meniul Apple > Despre acest Mac > Actualizare de software…

There’s also an update that takes watchOS la versiune 8.7.1, but that update doesn’t list any CVE numbers, and doesn’t have a security advisory of its own.

There’s no word on whether the older supported versions of macOS (Big Sur and Catalina) are affected but don’t yet have updates available, or whether tvOS is vulnerable but not yet patched.

For further information, watch this space, and keep your eyes on Apple’s official Security Bulletin portal page, HT201222.