Even if you like to wait for new iOS and macOS updates to settle down before you take the plunge, you will want to update your iPhone and Mac asap, even if you opt to remain on iOS 15 for now. On iPhones, Apple is offering a choice between iOS 15.7 and iOS 16 when you update.
An update is urgent because iOS 15.7 (and iOS 16) and macOS Monterey 12.6 fix zero-day security vulnerabilities, which Apple says may currently be in active use by attackers …
Bleeping Computer reports:
Apple has released security updates to address the eighth zero-day vulnerability used in attacks against iPhones and Macs since the start of the year.
In security advisories issued on Monday, Apple revealed they’re aware of reports saying this security flaw “may have been actively exploited.”
The bug (tracked as CVE-2022-32917) may allow maliciously crafted applications to execute arbitrary code with kernel privileges.
“Execute arbitrary code with kernel privileges” is a way of saying that an attacker can do a lot of things, with the right combination of exploits.
The list of vulnerable devices is extensive:
- All Macs running macOS Big Sur 11.7 and macOS Monterey 12.6
- All iPhones from the iPhone 6s
- All iPads from iPad Air 2/iPad 5/iPad mini 4
- iPod Touch (7th-gen)
The site notes that Apple is being deliberately cautious in the limited information it has released so far.
Although Apple disclosed active exploitation of this vulnerability in the wild, the company is yet to release any information regarding these attacks.
By refusing to release this info, Apple likely wants to allow as many customers as possible to patch their devices before other attackers develop their own exploits and start deploying them in attacks targeting vulnerable iPhones and Macs.
Bleeping Computer says that this is the 8th zero-day vulnerability patched by Apple so far this year.
- In August, it patched two zero-day vulnerabilities in the iOS Kernel (CVE-2022-32894) and WebKit (CVE-2022-32893).
- In March, Apple patched two zero-day bugs in the Intel Graphics Driver (CVE-2022-22674) and AppleAVD (CVE-2022-22675).
- In February, Apple released security updates to fix another WebKit zero-day bug exploited in attacks against iPhones, iPads, and Macs.
- In January, Apple patched two other exploited zero-days that enabled code execution with kernel privileges (CVE-2022-22587) and web browsing activity tracking (CVE-2022-22594).
Most vulnerabilities are used in targeted attacks, but some are used more widely, so it’s always good practice to update your iPhone and other Apple devices as soon as possible.
On your iPhone, go to Settings > General > Software Update and choose between iOS 15.7 and iOS 16. On your Mac, go to > About this Mac > Software Update.
Photo: Adi Goldstein/Unsplash
Author: Ben Lovejoy
Source: 9TO5Google
