iOS Critical Security Update 15.6.1

By Anthony Eich on September 16, 2022

Co-Authored By: Johnathan Means

Executive Summary

On August 17, 2022, Apple Inc. released an update that patched two security holes that were potentially major vulnerabilities, one existing in WebKit, and the other, a bug in the iOS Kernel. By exploiting these vulnerabilities, cyber threat actors can run arbitrary code with kernel, or elevated, privileges [2]. At the time that Apple released the updates, they stated that the vulnerabilities “may have been exploited” but there is no reference to specific incidents. While the mainstream media has picked up this story and alerted the public to the event, urging consumers to install the update as soon as possible, many security researchers have pointed out that while the exploit could give full control of an iOS device to a threat actor, most users are not likely to be targeted. The basis of this being that in other recently discovered zero-day exploits such as Pegasus, those targeted were high-value targets such as politicians, government representatives, and journalists.

Background

Upon announcement that Apple would be releasing a new security update that affected all their iPhone and iPad devices, as well as macOS products, the media coverage was intense. Warnings to consumers to update their devices immediately spread, causing a panic that users could be already hacked or that they could be potential victims of data loss or worse. While the strength of the vulnerabilities does warrant a high level of attention, it is debated that the footprint of those who would be targeted is limited due to the degree of difficulty for the execution of the exploits [8].

The two patches released with the 15.6.1 update aim to fix bugs in the WebKit and Kernel for the iOS, iPadOS, and macOS. WebKit is the web browser engine used by Safari, Mail, App Store, and many other apps on iOS. The Kernel is the link between device hardware and the operating system; it is the interface that launches and manages applications [3]. The WebKit exploit (CVE-2022-32893) can be implemented when a user visits a website that has maliciously crafted content that can lead to arbitrary code execution [6]. Similarly, the Kernel vulnerability (CVE-2022-32894) allows for applications to execute arbitrary code [7]. Both vulnerabilities can give an attacker full control over an effected device.

Impact

The patches that are issued in the 15.6.1 update for iOS and iPadOS are available to all iOS users, including iPhone and iPad devices [1]. The vulnerabilities are also affecting Mac users, as the update for the Monterey version of macOS 12.5.1, as well as the Safari web browser which also released version 15.6.1 to patch the holes. With well over a billion iPhone and iPad users worldwide, the potential for these vulnerabilities to be exploited on devices that have not yet been updated is widespread. Yet some security researchers and tech pundits are warning that the urgency behind the media storm revolving around this release is unwarranted for typical users. The level of sophistication that is needed to take advantage of these exploits appears to be far greater than that of the average scammer or those malicious hackers looking for a quick score.

As Advanced Persistent Threats (APTs) maintain threatening postures worldwide, vulnerabilities like CVE-2022-32893 and CVE-2022-32894 create an attack surface broader than ever before. Currently, there are not any known APTs actively exploiting these particular vulnerabilities but, APTs such as Hafnium, a likely state-sponsored cyber espionage group operating out of China, or APT29, a threat group attributed to Russia’s Foreign Intelligence Service (SVR), could use such a vulnerability to further their political or financial goals [11][12]. It has been shown that a successful WebKit exploit paired with a Kernel exploit can successfully give full control of a device to an attacker [13]. Once exploited, the APTs could spy on currently running apps, access sensitive data on the device, retrieve location data, activate the microphone, and do many other operations vital to corporate and government espionage and surveillance missions.

Those who should be concerned the most are those who use these devices to safeguard critically sensitive data, such as government officials, top-tier executives, journalists, and anyone in possession of Controlled Unclassified Information (CUI). While there is some validity to the pushback being observed, regarding the alarms set off by the media coverage, when it comes to critical security updates, the general consensus among cybersecurity professionals is that they should be installed on all devices without delay.

Significance

While these zero-day exploits have yet to be attributed to any specific group, there is a strong likelihood that they are the result of a well-funded organization such as the NSO Group, the Israeli firm responsible for the Pegasus malware tool. If and when these tools get out into the open, where more malicious hackers can pick up on them and start to use them in attacks, then anyone who is still running an older version of the iOS operating system will be susceptible to infiltration. And when considering that once an endpoint is compromised and then introduced to an otherwise secure network, there is greater opportunity for the malware to spread and infect other users, resulting in data loss, CUI leakage and countless other possible negative impacts. Therefore, everyone should promptly update all their devices to the new security patches to ensure the best opportunity for secure operations worldwide.

References

[1] About the security content of iOS 15.6.1 and iPadOS 15.6.1. (2022, August 17). Retrieved August 30, 2022, from support.apple.com: https://support.apple.com/en-us/HT213412

[2] Apple Releases Security Updates for Multiple Products. (2022, August 18). Retrieved August 30, 2022, from cisa.gov: https://www.cisa.gov/uscert/ncas/current-activity/2022/08/18/apple-releases-security-updates-multiple-products

[3] Bigelow, S. J. (n.d.). kernel. (J. Lulka, Editor) Retrieved August 30, 2022, from techtarget.com: https://www.techtarget.com/searchdatacenter/definition/kernel#:~:text=It%20is%20the%20core%20that,systems%2C%20device%20control%20and%20networking.

[4] Cross, J. (2022, August 17). iOS 15.6.1 patches critical flaws that may have been actively exploited. Retrieved August 30, 2022, from macworld.com: https://www.macworld.com/article/833235/ios-ipados-15-6-1-security-updates.html

[5] Cunningham, A. (2022, August 17). New macOS 12.5.1 and iOS 15.6.1 updates patch “actively exploited” vulnerabilities. Retrieved August 30, 2022, from arstechnica.com: https://arstechnica.com/gadgets/2022/08/apple-releases-macos-12-5-1-and-ios-15-6-1-for-actively-exploited-vulnerabilities/

[6] CVE-2022-32893. (n.d.). Retrieved August 30, 2022, from cve.mitre.org: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32893

[7] CVE-2022-32894. (n.d.). Retrieved August 30, 2022, from cve.mitre.org: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32894

[8] Haslam, O. (2022, August 23). iOS 15.6.1 Is an Important Update, but Don’t Let the Media Scare You. Retrieved August 30, 2022, from lifewire.com: https://www.lifewire.com/ios-15-6-1-is-an-important-update-but-dont-let-the-media-scare-you-6502344

[9] Hern, A. (2022, August 18). Apple security flaw ‘actively exploited’ by hackers to fully control devices. Retrieved August 30, 2022, from theguardian.com: https://www.theguardian.com/technology/2022/aug/18/apple-security-flaw-hack-iphone-ipad-macs

[10] O’Flaherty, K. (2022, August 17). iOS 15.6.1—Update Now Warning Issued To All iPhone Users. Retrieved August 30, 2022, from forbes.com: https://www.forbes.com/sites/kateoflahertyuk/2022/08/19/ios-1561-update-now-warning-issued-to-all-iphone-users/?sh=6282c8b167a9

[11] APT29. (2022, April 14). Retrieved August 31, 2022, from https://attack.mitre.org/groups/G0016/

[12] HAFNIUM. (2022, April 16). Retrieved August 31, 2022, https://attack.mitre.org/groups/G0125/ 

[13] Ducklin, P. (2022, August 18). Retrieved August 31, 2022, from https://nakedsecurity.sophos.com