Apple released out-of-order updates for the iPhone, iPad and Mac on Wednesday evening, which can be obtained via the update function in the systems. The reason for this are two security gaps, for which the group says it has reports of active exploits.
WebKit and kernel affected
The new versions are iOS 15.6.1 and iPadOS 15.6.1 for iPhone and iPad, and macOS Monterey 12.5.1 for the Mac. Apple recommends installing it soon. So far it is unclear who the attackers who are currently exploiting the zero-day bugs are – and who are the possible victims. In the patch notes, “anonymous security researchers” are named as reporters; accordingly, nothing further can be concluded from this. Apple has not communicated whether older iOS or macOS versions are also affected.
The bugs have the same two CVE IDs on Mac, iPhone and iPad. They are in the kernel and in the Safari browser engine WebKit, which is traditionally the only web display module that Apple allows on the iPhone and iPad. Alternative browsers with other engines can also be used on the Mac – but Safari is the default web viewer here too, which increases the level of danger. According to Apple, arbitrary code can be executed with kernel privileges via the kernel error thanks to an out-of-bounds error – a critical bug. WebKit, in turn, allows compromised websites to run arbitrary code. The attackers may combine both bugs, but this is still unclear.
watchOS 8.7.1 for specific model
In addition to the updates for iPhone, iPad and Mac, Apple also presented a watchOS update on Wednesday evening. However, this is only intended for the Apple Watch Series 3, a completely outdated model from 2017, which Apple continues to offer and also provides with updates.
According to the package insert, watchOS 8.7.1 fixes a bug that can cause the computer clock to restart unexpectedly. The bug apparently does not affect newer series, so watchOS 8.7 remains up-to-date here. The two security vulnerabilities fixed in iOS, iPadOS and macOS do not appear to exist on the watch – in any case, watchOS 8.7.1 explicitly contains no security fixes.
To home page