Updated on 2022-10-28: Apple security updates
Apple has updated its software update policy page this week and is finally confirming that it does not always backport security patches to the older versions of its operating systems. Read more: Manage software updates for Apple devices
Apple has finally officially state their stance on the latest operating system is the only fully patched one. If you are running anything other than $latest you are likely vulnerable https://t.co/clVDMWdpkO
— Graham Gilbert (@grahamgilbert) October 26, 2022
Updated on 2022-10-27: Apple October Security Updates
Apple has released security updates for macOS, iOS, iPadOS, TVOS, watchOS, and Safari. Among the fixes are patches for a high-severity zero-day remote code execution flaw in iOS and iPadOS. The vulnerability is due to an out-of-bounds write issue. Apple’s update for macOS 13 Ventura addresses more than 100 issues.
- The updates include the anticipated iPadOS 16. iOS 16.1 and iPadOS 16 address 36 CVEs. Apple also just released iOS/iPadOS 15.7.1 which addresses 20 CVEs. All of the iOS/iPadOS updates address a recent zero-day, CVE-2022-42827 which is being actively exploited. Note apple has released updated security bulletins for their recent updates (macOS, tvOS, iOS/iPadOS, watchOS, etc.) which include additional CVEs addressed. Note that when deploying iPadOS 16, the on-device version is listed as 16.1. The iOS/iPadOS zero-day has been added to the CISA KVE with a fix date of 11/15/22.
- Seems like only yesterday that Apple marketed itself as highly attack resistant when compared to other edge devices. We know several things changed over that time: the CPU, an increase in attack surface with the seamless integration of mobile devices, commoditization of vulnerabilities. Expect this to be the new normal for Apple and its high in demand products.
Read more in
- About the security content of iOS 16.1 and iPadOS 16
- Apple Patches Everything: October 2022 Edition
- Apple releases patch for iPhone and iPad 0-day reported by anonymous source
- Apple fixes latest zero-day vulnerability to hit iOS devices
Overview: Apple security updates
Apple released security updates for its products on Monday, including iOS 16.1, which includes a fix for CVE-2022-42827, a vulnerability that Apple described as being exploited in the wild. The issue impacts the iOS kernel, and it is unclear if this has been used to jailbreak smartphones or actively exploited by a threat actor to deploy malware. Read more: About the security content of iOS 16.1 and iPadOS 16