In recent security updates released on March 14, Apple releases patches fixing 39 vulnerabilities several of which could allow an attacker to execute arbitrary code on an affected device.
One of the vulnerabilities can be exploited by having the victim open a crafted PDF file, and a few just require the victim to visit an specially crafted website.
Affected Versions
The patches have been released for
Kernel and Webkit
The kernel is a core component of any operating system and serves as the main interface between the computer’s physical hardware and the processes running on it. As such, the kernel is responsible for low-level tasks such as disk management, memory management, task management, etc.
WebKit is the browser engine that powers Safari on Macs as well as all browsers on iOS and iPadOS (browsers on iOS and iPadOS are obliged to use it). It is also the web browser engine used by Mail, App Store, and many other apps on macOS, iOS, and Linux.
Seven vulnerabilities were fixed for the kernel and six for webkit.
Accelerate Framework CVE-2022-22633
Opening a maliciously crafted PDF file can lead to arbitrary code execution.
The vulnerability exists due to a boundary error when processing PDF files within Accelerate Framework.
The vulnerability was caused by a memory corruption issue, that was addressed with improved state management.
An attacker would need to trick the victim into opening their PDF file.
Anything that can be triggered just by a victim opening a file that can be sent as an attachment is of great value to cybercriminals.
In a “spray and pray” attack there is a reasonable chance of success. This might also be useful to attackers performing a targeted attack on an individual.
AppleAVD CVE-2022-22666
Processing a maliciously crafted image may lead to heap corruption.
AppleAVD is a decoder that handles certain media files. The vulnerability exists due to a memory corruption issue, that was addressed with improved validation. Heap corruption occurs when a program modifies the contents of a memory location outside of the memory allocated to the program.
The outcome can be relatively benign and cause a memory leak, or it may be fatal and cause a memory fault, usually in the program that causes the corruption.
AVEVideoEncoder
The AVEVideoEncoder is a component that is used when creating video files. Three vulnerabilities were fixed in this component.
CVE-2022-22634
A malicious application may be able to execute arbitrary code with kernel privileges.
The vulnerability exists due to a buffer overflow, that was addressed with improved bounds checking.
A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region.
CVE-2022-22635
An application may be able to gain elevated privileges.
The vulnerability exists due to an out-of-bounds write issue, that was addressed with improved bounds checking.
If a flaw in a program allows it to read or write outside of the bounds set for the program, it is possible to manipulate other parts of the memory which are allocated to more critical functions.
This can allow an attacker to write code to a part of the memory where it will be executed with permissions that the program and user should not have.
CVE-2022-22636
An application may be able to execute arbitrary code with kernel privileges.
Another out-of-bounds write issue, that was addressed with improved bounds checking.
GPU Drivers CVE-2022-22667
An application may be able to execute arbitrary code with kernel privileges.
This vulnerability exists due to a use after free issue, that was addressed with improved memory management.
An attacker would need authenticated access to exploit this vulnerability. Use after free (UAF) is a vulnerability due to incorrect use of dynamic memory during a program’s operation.
If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.
ImageIO
Two vulnerabilities were fixed for the Image I/O framework which allows applications to read and write most image file formats.
CVE-2022-22611
Processing a maliciously crafted image may lead to arbitrary code execution.
This vulnerability exists due to an out-of-bounds read, that was addressed with improved input validation. An out-of-bounds read means that the software reads data past the end, or before the beginning, of the intended buffer.
Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash. But it can also allow an attacker to run any commands or code in the target process.
CVE-2022-22612
Processing a maliciously crafted image may lead to heap corruption.
This vulnerability exists due to a memory consumption issue, that was addressed with improved memory handling. The heap is the name for a region of a process’ memory which is used to store dynamic variables.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.