Apple releases macOS Monterey 12.6, iOS 15.7 and iPadOS 15.7 with security updates
Apple has released macOS Monterey 12.6, iOS 15.7 and iPadOS 15.7. The updates bring a number of critical security fixes for Macs, iPhones and iPads.
Security fixes in macOS Monterey 12.6
The update fixes an ATS issue that could bypass Privacy preferences. The logic issue referred to in CVE-2022-32902 was fixed by improving the state management. A vulnerability in the iMovie app would have allowed attackers to view sensitive user information. Apple says it enabled hardened runtime to patch the exploit in CVE-2022-32896.
The macOS Monterey 12.6 update resolves three kernel level bugs. One of these, described in CVE-2022-32911, permitted the execution of arbitrary code with kernel privileges. Another bug, referred to in CVE-2022-32864, was able to disclose kernel memory. Apple mitigated both issues by improving the memory handling.
The third kernel vulnerability, referred under CVE-2022-32917, was similar to the first one, i.e. it allowed hackers to execute arbitrary code with kernel privileges. Apple says that this security issue could have been actively exploited by threat actors. This attack vector has been addressed with improved bounds checks.
A security issue in the Maps app could have allowed other apps to read sensitive location information, the bug referenced as CVE-2022-32883, has been mitigated with improved restrictions.
Hackers may have been able to elevate privileges due to a memory corruption issue in the MediaLibrary. This exploit, filed under CVE-2022-32908, has been patched by improving the input validation. A similar logic issue was discovered in PackageKit (CVE-2022-32900), and has been addressed by improving the state management.
Security fixes in iOS 15.7 and iPadOS 15.7
All three kernel issues, the vulnerabilities discovered in the Maps app, and the MediaLibrary that I mentioned in macOS Monterey section also affects iPhones, iPads and iPods. The patches for these bugs are included in the iOS 15.7 and iPadOS 15.7 updates.
Apps could have bypassed Privacy restrictions in the Contacts app. Malicious websites visited via Safari may lead to address bar spoofing. The bugs addressed in CVE-2022-32854 and CVE-2022-32795 were fixed by improving checks. The Shortcuts app could allow users to access photos from the lock screen, if the attacker had physical access to an iOS device. The logic issue reported in CVE-2022-32872 was resolved by improved restrictions. Safari Extensions might be able to track users due to a logic issue (WebKit Bugzilla: 242278, CVE-2022-32868). Apple has improved the state management to deal with the vulnerability.
A Webkit related threat (WebKit Bugzilla: 241969, CVE-2022-32886) could have allowed web browsers and other web apps to execute malicious code. This was a result of a buffer overflow issue that was fixed by improved the memory handling. A similar issue in WebKit (WebKit Bugzilla: 242762, CVE-2022-32912) was attributed due to an out-of-bounds read, the threat was patched by improving the bounds checks.
The iOS 15.7 and iPadOS 15.7 updates are available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). In case you missed it, Apple has released iOS 16 for eligible iPhones, you can read our previous coverage to learn more about the new features in the latest software.Advertisement