Apple issued a patch for a zero day vulnerability likely exploited in the wild that allows a malicious iPhone app to execute arbitrary code with kernel-level privileges, marking the second smartphone kernel code execution bug fixed by the company in as many months.
The patch comes as the computing giant released a new version of its mobile operating system that promises users the possibility of quicker delivery of security updates through a feature dubbed Rapid Security Responses.
Significant flaws within the iOS operating system are highly coveted by hackers, especially by those connected with state-sponsored surveillance, whether as a vendor of spying apps or directly in national intelligence (see: Tech Alone Won’t Defeat Advanced Spyware, US Congress Told).
“Getting into the kernel is the Holy Grail,” Says Rob Graham, head of Georgia-based consultancy Errata Security.
“Once in there, you can get from the app you exploited to all the other apps on the system,” he adds. An attacker with kernel access can read encrypted messages as they’re typed and turn on the device microphone even when the user thinks it’s off.
Tracked as CVE-2022-32917, the bug was reported to Apple by an anonymous researcher and fixed with improved bounds checks.
Only weeks ago, Apple issued a patch fixing two zero-day vulnerabilities, one of which including a kernel vulnerability.
This patch marks the eighth known zero day that Apple has fixed this year even as its devices uphold a consumer reputation for security. A recent survey of 1,003 Americans found iOS edging out Android in perceptions of security. Enhanced security features in iOS 16 led a third of Android user to consider switching to Apple, says Beyond Identity, which commissioned the survey.
Among those features is Rapid Security Response, a feature turned on by default that delivers important security improvements before they become part of a full software update.
Also included is Lockdown Mode, an extreme level protection. It is an optional setting for individuals at risk of personally being targeted by sophisticated digital threats, such as spyware. It consists of a set of restrictions that renders many message attachments inaccessible, webpages slower to load and FaceTime calls harder to make (see: Apple Lockdown Mode Aims to Prevent State-Sponsored Spyware).
The new operating system also includes Passkey, its version of the WebAuthn multifactor authentication standard that turns devices such as a smartphone with a biometric scanner into a logon credential. It works when an online service agrees to accept a public-private key combination in the place of a traditional username and password. The private key necessary to activate the logon is stored on the user’s device, which asks for proof of the user’s identity, such as a facial scan or fingerprint reading. Its backers say their goal is the long desired, but elusive goal of killing the password.