Updates to Apple’s zero-day update story – iPhone and iPad users read this!

Credit to Author: Paul Ducklin| Date: Fri, 28 Oct 2022 12:04:42 +0000

Regular readers will know two things about our attitude to Apple’s security patches:

  • We like to get them as soon as we can. Whether it’s a full version upgrade that also includes a bunch of security fixes, or a point release (one where the leftmost verion number doesn’t change) with the primary purpose of patching bugs rather than adding new features, we’d rather err on the side of applying known security fixes than leaving our devices with holes that attackers are now aware of, even if they don’t know how to exploit them yet.
  • We nevertheless very frequently find Apple’s bulletins confusing. For example, you never quite know where you stand if you’re stuck on a version that didn’t get an update this time.

Apple’s latest security bulletins, which came out earlier this very week, seem to exemplify how the company sometimes seems to increase confusion by saying too little… which is not always a happy alternative to finding out too much:

Emergent confusion

Based on the enquiries and comments we’ve received from readers in the past few days, the following confusion emerged:

  • Why did a single security bulletin describe updates dubbed iOS 16.1 and iPadOS 16? We know that iPadOS 16 was delayed, so did this recent update mean that iPadOS was now getting patched only to the same security level as iOS 16, which came out more than a month ago, while iOS advanced to 16.1, thus leaving iPadOS more than five weeks adrift in cybersecurity terms?
  • Why did iPadOS 16 ultimately report itself as version 16.1? (Thanks to Stefaan from Belgium for taking screenshots of his iPad update process and sending them in.) After updating, the About screen apparently says iPadOS 16, like the security bulletin did, while the iPadOS Version screen explicitly says 16.1. It sounds as though iPhones and iPads now not only both support “the version family known as 16”, but also both have the very latest security fixes, so why not simply call both of them version 16.1 everywhere for clarity, including in the security bulletin and on the About screen?
  • Where did macOS 10 Catalina go? Traditionally, Apple drops support for macOS version X-3 when version X comes out, but is that the actual explanation of why macOS 11 Big Sur and macOS 12 Monterey (versions X-2 and X-1 respectively) got updates while Catalina didn’t?
  • What happened to iOS/iPadOS 15.7.1? When iOS 16 came out in September 2022, the previous version family received critical updates as well, taking it to version 15.7. This inclued a critical fix to close off a kernel-level zero-day hole under active exploitation, which often translates as “someone out there is sneaking spyware onto iPhones, folks”. So, given that iOS 16.1 included yet another kernel zero-day fix, perhaps closing off an avenue being exploited by yet more spyware, where was the corresponding patch for the iOS/iPadOS 15 family, which by analogy you would assume would be 15.7.1?

As we said in yesterday’s podcast, faced with the fourth question above from a concerned reader, our short answer was simply, “DUCK: Don’t know./DOUG: Clear as mud.”

Sometimes, security bugs in operating system version X simply don’t apply to version X-1, for example because the bugs exist in code that was only added, or only exposed to danger, in newer releases.

But we’ve also seen Apple fail to produce updates for previous versions for two other reasons, either [a] because an update is genuinely needed, but turned out to be too tricky to get ready and test in time, or [b] because the previous version was now considered out of support, and wasn’t going to get an update, whether necessary or not.

And with Apple security bulletins almost always only telling you about patches that are available right now, missing updates regularly remain an unexplained (and unexplainable) mystery.

A blast of bulletins

Well, this morning we received a blast of 15 security bulletin emails from Apple , most of them listing many of the CVE-numbered bugs and security problems reported in the bulletins we’d already seen earlier in the week.

None of them directly clarified the first three questions above, although we now assume that the reason for Apple referring to “iPadOS 16” as well as to “iPadOS 16.1” was a possibly misguided attempt to convey the information that iPadOS was now getting its belated upgrade to version family 16, as well as getting an update equivalent in security fixes to the new iOS 16.1.

But the very first bulletin in the latest salvo from Apple did solve the last question listed above, by announcing iOS/iPadOS 15.7.1, which turns out to be a critical fix:

  APPLE-SA-2022-10-27-1: iOS 15.7.1 and iPadOS 15.7.1    iOS 15.7.1 and iPadOS 15.7.1 addresses the following issues.  Information about the security content is also available at  https://support.apple.com/HT213490.    [. . .]    Kernel  Available for: iPhone 6s and later, iPad Pro (all models),   iPad Air 2 and later, iPad 5th generation and later,   iPad mini 4 and later, and iPod touch (7th generation)    Impact: An application may be able to execute arbitrary code   with kernel privileges. Apple is aware of a report that this   issue may have been actively exploited.    Description: An out-of-bounds write issue was addressed with   improved bounds checking.    CVE-2022-42827: an anonymous researcher  

So, iOS/iPadOS 15 is still supported, and if you didn’t bite the bullet and upgrade to iOS 16.1 (or to the schismically named iPadOS 16-that-is-also-16.1) earlier in the week…

…then you should make sure you get iOS/iPadOS 15.7.1 right away, because the CVE-2022-42827 kernel zero-day hole fixed in iOS 16.1 is right there in iOS/iPadOS 15.7, under active exploitation.

In other words, this was one of those cases where the reason for the missing update a few days ago was almost certainly simply that the patches weren’t ready in time.

What to do?

TL;DR if you’re an iPhone or iPad user: if you’re still on iOS/iPadOS major version 15, go to Settings > General > Security Update right away.

Check even if you’ve got automatic updates turned on, and remember not only to approve the download if you don’t have it already, but also to force your device though the install stage, which requires one or more reboots (and does, of course, take your phone or tablet offline for a while).

TL;DR if you’re Apple: a little more clarity would go a long way in security bulletins, especially when you know either that a critical update is the wings for users of earlier versions, or that they won’t be needing an update because their version isn’t affected.

By the way, if you decided to jump ahead to iOS/iPadOS 16.1 earlier this week, just to be safe…

…you can’t now go back to iOS/iPadOS 15.7.1, because Apple doesn’t allow downgrades.

(Downgrades facilitates jailbreaking, which Apple aims to prevent, and in any case would require a full data wipe first to prevent a downgrade being used as a malevolent “bring your own bug” security bypass to exfiltrate personal information.)


http://feeds.feedburner.com/NakedSecurity

Leave a Reply