Malicious apps already lurking in the official App Storecould exploit CVE-2022-32917 and other security holes, so patch up asap!
Apple has just released security updates for a zero-day vulnerability that affects every iPhone, iPad, Mac and Apple Watch running the new iOS 16 operating system released on 12 Sep. Both an upgrade and an update are available for download.
According to cyber experts, users whose i-devices are eligible should install the update even if they do not want to upgrade to the newest iOS version just yet. This is because the latest iOS 15.7 and iPadOS 15.7 updates include numerous security patches, including a fix for a vulnerability, CVE-2022-32917, which allows an intruder to execute arbitrary code with kernel privileges.
Sophos’ Senior Technologist Paul Ducklin has noted that iPadOS 16 has not yet been released, but users should grab iPadOS 15.7 right now: “Don’t hang back waiting for iPadOS 16 to come out, given that you’d be leaving yourself needlessly exposed to a known exploitable kernel flaw.”
According to Ducklin, a kernel code execution bug means that even innocent-looking apps (perhaps including apps that made it into the official App Store because they raised no obvious red flags when examined) could burst free from Apple’s app-by-app security lockdown, and potentially take over the entire device, gaining control over the following functions:
- using the camera or cameras
- activating the microphone
- acquiring location data
- taking screenshots
- snooping on network traffic before it gets encrypted (or after it’s been decrypted)
- accessing files belonging to other apps, and much more
If, indeed, this security hole has been actively exploited in the wild to require such an urgent release of patches, “it’s reasonable to infer that there are apps out there that unsuspecting users have already installed, from what they thought was a trusted source, even though those apps contained code to activate and abuse this vulnerability,” Ducklin surmised.