Apple Fixes 'Actively Exploited' Zero-Day Affecting Most iPhones (techcrunch.com) 38
An anonymous reader quotes a report from TechCrunch: Apple has confirmed that an iPhone software update it released two weeks ago fixed a zero-day security vulnerability that it now says was actively exploited. The update, iOS 16.1.2, landed on November 30 and rolled out to all supported iPhones -- including iPhone 8 and later -- with unspecified "important security updates."
In a disclosure to its security updates page on Tuesday, Apple said the update fixed a flaw in WebKit, the browser engine that powers Safari and other apps, which if exploited could allow malicious code to run on the person's device. The bug is called a zero-day because the vendor is given zero days notice to fix the vulnerability. Apple said security researchers at Google's Threat Analysis Group, which investigates nation state-backed spyware, hacking and cyberattacks, discovered and reported the WebKit bug.
Apple said in its Tuesday disclosure that it is aware that the vulnerability was exploited "against versions of iOS released before iOS 15.1," which was released in October 2021. As such, and for those who have not yet updated to iOS 16, Apple also released iOS and iPadOS 15.7.2 to fix the WebKit vulnerability for users running iPhones 6s and later and some iPad models. The bug is tracked as CVE-2022-42856, or WebKit 247562. It's not clear for what reason Apple withheld details of the bug for two weeks.
In a disclosure to its security updates page on Tuesday, Apple said the update fixed a flaw in WebKit, the browser engine that powers Safari and other apps, which if exploited could allow malicious code to run on the person's device. The bug is called a zero-day because the vendor is given zero days notice to fix the vulnerability. Apple said security researchers at Google's Threat Analysis Group, which investigates nation state-backed spyware, hacking and cyberattacks, discovered and reported the WebKit bug.
Apple said in its Tuesday disclosure that it is aware that the vulnerability was exploited "against versions of iOS released before iOS 15.1," which was released in October 2021. As such, and for those who have not yet updated to iOS 16, Apple also released iOS and iPadOS 15.7.2 to fix the WebKit vulnerability for users running iPhones 6s and later and some iPad models. The bug is tracked as CVE-2022-42856, or WebKit 247562. It's not clear for what reason Apple withheld details of the bug for two weeks.
If this was fixed two weeks ago.. (Score:1)
Re: (Score:1)
Because it was being used by rogue government spooks against my girlfriend and they knew if it got posted on Slashdot I'd find out too quickly to warn her.
Re: (Score:2)
Why are we only learning about it now?
Because they wanted to bury the story under the positive coverage of 16.2 that launched today with a bevy of highly touted features.
Re: (Score:2)
Delayed announcement while mediations get put in place is not uncommon in security. Being a browser vunerability its highlty likely they wanted to get as many phones as possible patched before alerting every script kiddy and credit card thief on the planet know about a short window of opportunity.
Likely the active exploitation was state actors or law enforcement.
Re: (Score:2)
The real issue is that this has been exploited for over a year, Apple's not even saying what the oldest known report of it being used successfully is (that they know of even) nor are they saying how long they've known.
Follow the breadcrumbs: (Score:3)
Based on the paper trail, Apple likely became aware of it early November.
Resolved in 24752: https://bugs.webkit.org/show_b... [webkit.org]
Reported: November 7, 2022
Resolved: November 8, 2022
Deployed: December 14, 2022
Introduced on 227830 - https://bugs.webkit.org/show_b... [webkit.org]
August 21, 2021
Re: (Score:2)
Because they were waiting until "most" users had updated?
Let say you build door locks. You are the only supplier, so you know who your customers are. You find out that your locks have a fatal, exploitable flaw. Do you announce the flaw to the world, then create and mail kits to remediate it? Or do you send out the kits, wait a week, then announce the flaw?
Omission. (Score:4, Insightful)
...and which all browsers which Apple allows on iOS are required to use.
Re: (Score:2)
>Apple said the update fixed a flaw in WebKit, the browser engine that powers Safari and other apps,
...for security reasons, because the walled garden has to be curated. and the thing has been in the wild for at least a year.
thanks for the show, apple and fans, freaking hilarious. :'D
Re:Omission. (Score:4, Interesting)
Apple is also rather shy about mentioning the zero-day in the "About this Update" message. Instead it is positioned as the release of a new app (Freeform, a mindmapping app that nobody asked for). You have to zoom in to a barely legible part of the update note to see that there's anything security-related, buried under a long list of app news.
This is pure speculation on my side, but I have the feeling that Apple has a number of first-party apps stashed away, to be released with security updates. These apps act as the big colorful rugs under which bad news can be handily swept.
Did they fix the photo issue too? (Score:2, Interesting)
Here's one for the Apple fanboys. I have photos which I copied from a pc onto the iPhone using iTunes. These were temporary photos, used only for reference.
I cannot, under any circumstance, now delete these photos. They show in Photos, but if you hook the phone to the PC, you can't find them in the same location as Photos. Nor can they be found by doing a search on the phone itself.
So there you have it. Photos which perpetually exist and can't be deleted. That's how secure iPhones are. You can't rid of wh
Re: (Score:3, Insightful)
You mean the issue that literally one person on the planet has? Did you ever try reporting it as a bug or contacting them? How do you expect them to know?
Re: (Score:3)
You mean the issue that literally one person on the planet has? Did you ever try reporting it as a bug or contacting them? How do you expect them to know?
They know, everyone knows [copytrans.net]. Apparently you can delete the files with a third party app, but Apple gives literally no interface to do it. I would call it a bug, Apple probably would say you're holding it wrong. I agree, you should hold it parallel to the ground so that you get as many skips as possible when you chuck that fucker away.
Re: (Score:2)
Another request of the CCP?
Re: Did they fix the photo issue too? (Score:2)
What happens if you reset the phone and restore backup?
Re: (Score:2)
They show in Photos, but if you hook the phone to the PC, you can't find them in the same location as Photos. Nor can they be found by doing a search on the phone itself.
If they show in Photos you can delete them from there, just like you would any other photo. Bring up the photo, click the Trash icon, and then either wait 30 days or go to Recently Deleted, select the photo again, and tap Delete. I don’t understand the confusion.
And if they’re not in Photos, then what evidence is there that the photos are on the phone in the first place, given that they’re not in Photos, can’t be found and search, and don’t appear when connected to your PC? In
Re: (Score:2)
If they show in Photos you can delete them from there, just like you would any other photo. Bring up the photo, click the Trash icon, and then either wait 30 days or go to Recently Deleted, select the photo again, and tap Delete. I don’t understand the confusion.
There is no Trash icon. That's the issue. The photos are there but there is no way to delete them. The only option is to create a copy of the photo to edit it.
And if they’re not in Photos, then what evidence is there that the photos ar
Re: (Score:2)
The lack of a trash can is something I typically only see when looking at pictures I didn't upload to a shared album. Just to confirm, are you looking at these pictures via the Library tab in Photos? And what version of iOS are you using?
Re: (Score:2)
Sorry for late reply, I'm only on before and after work. No time at work. Here is what I did which might answer your question. Following whatever instructions I found to copy from the PC to the iPhone, I put the photos directly in the DCIM directory. The same directory where other photos are located. Those photos are ones I took with the phone.
When I open Photos from the home screen, these copied photos show. All of them. I can open them, zoom in and out, everything. They work just like any other photo.
Re: (Score:2)
So, the lack of trash can is still bizarre, I'll admit, but I've got some ideas.
One potential workaround would be to try a multi-select in Photos, rather than a one-off delete. From the Library tab, tap All Photos at the bottom, tap Select at the top, select a few photos by tapping on them, and then you should see the Trash icon in the bottom right. Try it with pics other than the ones in question so you can see what I mean, then try including some of the problematic pics. Might work?
Next, it sounds like it
Re: (Score:2)
I have followed every direction I can find to select one or more photos. Yes, they do mutli-select, but the option to delete is not there. Nor is the option for Photos present in iTunes when I fire it up and connect the phone to the PC.
Version wise I'm running 14.7.1. Since this is a work phone I normally only use it for work related things (calling, texting, email, etc) so having the lastest and greatest update isn't necessary since I don't go to Bob's House of Free Software and think I'm getting a great
Re: (Score:2)
If the photos are uploaded to the cloud, how could they still appear on the phone? That makes no sense. Either they're there or they're not.
The Photos app draws a distinction between "original" copies and "optimized" copies of pictures (optimized copies are what remains after the original is cleared out following it being uploaded to iCloud, and can vary from nothing more than a small thumbnail to a high quality compressed image, depending on how you've interacted with the photo). The DCIM directory only stores the originals from what I can gather, whereas optimized copies are kept elsewhere in the system where you can't easily access them from
Re: (Score:2)
Oh, there's also this app that claims to be able to help with deleting synced photos [copytrans.net], but use it as your own risk as I have no experience with it.
In related news (Score:5, Funny)
Android users are asking “your phone gets updates?”
Re: In related news (Score:2, Informative)
No, Android users wouldn't find this applicable to begin with:
1) unlike on iOS, a web browser can't pwn your entire phone, and even if it could, unlike on iOS you could always use a different browser that isn't vulnerable
2) Android isn't a monoculture. Unlike on iOS, q vulnerability that impacts one phone likely won't also affect yours.
3) In terms of remote code execution vulnerabilities, iOS and Safari both get remote code execution vulnerability CVEs at about twice the annual rate of Android and Chrome, r
Re: (Score:3, Insightful)
No, Android users wouldn't find this applicable to begin with:
1) unlike on iOS, a web browser can't pwn your entire phone,
not a fan of Apple but that is utter bullshit. You do realise multiple Android web browser vulnerabilities have done exactly that with chrome.
2) Android isn't a monoculture. Unlike on iOS, q vulnerability that impacts one phone likely won't also affect yours.
again utter bullshit, The base Android is most definitely monoculture and most vulnerabilities apply across manufacturers.
3) In terms of remote code execution vulnerabilities, iOS and Safari both get remote code execution vulnerability CVEs at about twice the annual rate of Android and Chrome, respectively. Making this worse is the fact that the total vulnerabilities are counted for ALL Android and chrome implementations, even though they typically are only applicable to one or two implementations, whereas every CVE for iOS and Safari is applicable to EVERY implementation (there is only one, after all.)
sure, but when your CVE count is in the 100's this is not a good position to throw stones and laugh at the opposition. All we can really say here is both apple and google suck donkey dicks when it comes to secure coding.
Re: (Score:2)
No, Android users wouldn't find this applicable to begin with:
1) unlike on iOS, a web browser can't pwn your entire phone,
not a fan of Apple but that is utter bullshit. You do realise multiple Android web browser vulnerabilities have done exactly that with chrome.
2) Android isn't a monoculture. Unlike on iOS, q vulnerability that impacts one phone likely won't also affect yours.
again utter bullshit, The base Android is most definitely monoculture and most vulnerabilities apply across manufacturers.
3) In terms of remote code execution vulnerabilities, iOS and Safari both get remote code execution vulnerability CVEs at about twice the annual rate of Android and Chrome, respectively. Making this worse is the fact that the total vulnerabilities are counted for ALL Android and chrome implementations, even though they typically are only applicable to one or two implementations, whereas every CVE for iOS and Safari is applicable to EVERY implementation (there is only one, after all.)
sure, but when your CVE count is in the 100's this is not a good position to throw stones and laugh at the opposition. All we can really say here is both apple and google suck donkey dicks when it comes to secure coding.
Replying to undo moderation that was supposed to be "overrated".
Re: (Score:3)
The situation on Android is actually better than on iPhone.
Too get this critical update on an iPhone or iPad, you must update the OS. Now I have to convince my wife to install an OS update that she doesn't want, because it changes other things and she likes it to stay familiar.
On Android this update would be distributed via Play, the Android app store. It would not require an OS upgrade, it would be just like an app update. Quietly installed, no fuss, older versions of Android get it too, no unwanted charge
Re: In related news (Score:4, Informative)
Re: (Score:2)
I know that, you know that, but convincing her... And stuff might change, I don't think she is on the most recent version so who knows how many major releases she has to go.
Re: (Score:2)
There will always be a security that eventually requires an OS update, probably because it can't be delivered independently or you've fallen to far behind and are no longer supported. Personally I think it's better to get the updates in smaller increments and not notice the changes so much rather than do a massive update less frequently and be hit with a lot of major changes at once. Most of the iOS upgrades I've had a completely unmemorable in the last few years, well, except the one that moved the URL b
Re: (Score:2)
I use Moto phones because they are cheap, good enough, and I like Moto Actions. And IME with pretty much any major brand of Android phone the pattern is that you usually* get one or two major version upgrades, then you get monthly security updates for a while, and then you get quarterly security updates (not counting whatever happens with Play.)
* Except for SEMC Xperia Play, which Sony promised in writing would get upgraded to ICS, and then it wasn't. But Moto has been solid...
Re: (Score:2)
Translation (Score:2)
This allowed older jailbreaks to be upgraded to work on the newest OS.
That's the only reason. Period.
Too bad you're forced to use Webkit on iPhones. (Score:3)