The other vulnerability (CVE-2022-32894) is also an out-of-bounds write flaw that gives attackers a way to execute code with kernel-level privileges on vulnerable devices. Such vulnerabilities allow attackers to gain complete access to the underlying hardware. The company said it is aware of reports of attackers actively exploiting the bug.
The flaw gives attackers a way to set up “booby-trapped” Web pages that can trick Macs, iPhones, and iPads into running untrusted software. “Simply put, a cybercriminal could implant malware on your device even if all you did was to view an otherwise innocent web page,” the security vendor said.
Our M1 Mac Mini needed to be restarted before it recognized there was an update available. The Mac Studio and Intel Macs all saw the update right away.
How does a flaw like this exist? Apple goes to great lengths to lock down the App store, with sandboxed and signed apps. If visiting a webpage can circumvent all of these security layers, than are they really protecting us? Are they not following their own security rules in Safari?
At least one of them is a flaw in WebKit, which is Apple’s own software and on which all iOS and iPadOS browsers are built. So there’s no App Store issue with that one.
The article doesn’t specify the locus of the other flaw, and I haven’t found a write-up that does.
Flaws exist in all software. Flaws in software that processes untrusted data always have the potential for a bug that that allows someone who can cause the software to process specially crafted data to execute code within the software itself. The more complex the data, the more potential for this kind of bug. Modern web content is very complex, so code execution bugs in things like Webkit are not that uncommon. CVE-2022-32893 (one of the bugs in this update) is exactly that.
That’s pretty bad on its own, but Apple’s security model limits what code running in a browser can do. However, this update also addresses another bug, CVE-2022-32894, which allows an attacker to run code with kernel privileges. That’s incredibly bad, as that allows an attacker to bypass pretty (almost) all security mechanisms. Bugs like this also exist in every modern operating system.
If you use these two bugs together, you end up with an exploit chain that can result in a complete system compromise from just visiting a web page (or possibly even just opening an HTML email). None of this has been caused by Apple disregarding its own security rules.
This isn’t the first time that this has happened to Apple’s products, and it won’t be the last. All software platforms have similar issues. What’s more worrying to me is that Apple states that there’s evidence that these bugs have been exploited already.
When these kinds of bugs are discovered by, they’re incredibly valuable. They’re generally used very, very sparingly and only in highly targeted attacks, usually by nation-state actors. This is because if they’re discovered (as these have been), they get fixed by vendors (as these have been), and their effectiveness quickly drops.
Unfortunately, this also means that the incentive to use them sparingly quickly drops, so exploitation can jump suddenly and broadly. This is why it’s incredibly important to apply security patches as quickly as possible and to avoid running unsupported/unpatched software.
A buffer overflow can happen anytime a piece of code brings in “outside” data at runtime. At a high enough level, these sorts of issues have been solved. But even then, the urge or need to optimize and improve performance opens the door again. And at low enough levels, there simply is no way to protect against faulty size assumptions and errors in memory manipulation.