hoakley August 20, 2022 Macs, Technology

Recent security updates: how unusual?

I know August is the ‘silly season’, with a general shortage of fresh news items, but I was surprised all the same to see both the BBC and my local newspaper belatedly reporting last week’s security updates to Monterey, iOS and iPadOS. Was there something really special about them, or were the press jumping on a story which, at any other time, would have passed unnoticed?

First, macOS 12.5.1 and the matching updates to iOS and iPadOS aren’t in the least bit unusual. When Apple released Big Sur, it changed the version numbering system to accommodate these not infrequent security updates, which had tended to be released as ‘supplemental updates’ for macOS.

In each annual cycle, Apple normally plans five or six minor updates containing improvements and general bug fixes, as well as fixes for plenty of security vulnerabilities. Patches between those, like 12.5.1, are common, and it’s good news that they are, as they represent Apple promulgating important fixes as soon as it can, rather than waiting for the next scheduled minor update, which in this case could be as late as October, when 12.6 is likely to be released, alongside the first version of Ventura.

macOS 12.5.1 only contained two security fixes, compared with 12.5 which had about 50. What is different in this case is that Apple suggested that both of the vulnerabilities had already been exploited in the wild. As Apple puts it: “Apple is aware of a report that this issue may have been actively exploited.” That doesn’t mean that all our Macs are about to be pwned, though, the interpretation that many seem to have jumped to.

Neither is this the first time that Apple has issued such warnings. While none of the security fixes in Monterey 12.5 bore those words, two fixes that came in 12.3.1 did, as did one in 12.2.1, and another in 11.5.1, and in other updates too.

So, what does Apple tell us about the vulnerabilities it has patched in 12.5.1? As is usual, not a great deal. The bug in the kernel allows an application “to execute arbitrary code with kernel privileges”, and that in WebKit allows the processing of maliciously crafted web content to “lead to arbitrary code execution”. Linking either of these to specific code, and determining which malware might be exploiting them, isn’t easy.

As ever, Apple provides CVE-IDs for each. CVE-2022-32893 (WebKit) is merely “reserved” according to the Mitre database, the only detail revealed there being that the entry was made on 9 June 2022, and the entry for the kernel vulnerability CVE-2022-32894 is identical. Both reports are credited to “an anonymous researcher”, which could easily be Apple’s own security researchers. In the past, Apple used to give them explicit credits in its security release notes, but hasn’t done so for some years.

So none of this is unusual, or exceptional, nor does it justify alarmist reports and speculation in the non-technical media. The message remains: keep your Macs and devices up to date, particularly with security updates.

It may be mere coincidence, of course, but this wasn’t the only security update last week. The following day (Thursday), Apple pushed two updates to the security tools built into macOS, one to add a new malware detection signature to XProtect data, the other to refresh the scanning components in its new XProtect Remediator which is replacing MRT in Catalina and later.

For the first time, Apple gave a new XProtect signature a codename that correlates with one of the executable modules in XProtect Remediator: SnowDrift. Stuart Ashenbrenner @stuartjash at Jamf has identified this as CloudMensis, spyware first discovered by ESET back in April 2022, when it was thought to have been distributed on a very limited basis.

Apple added the SnowDrift scanner to XProtect Remediator in version 68, pushed just a fortnight ago on 4 August 2022, but has only just added its signature to XProtect’s Yara file. Is it too much of a coincidence to wonder whether these two security fixes might have any connection?

The message the non-technical press have also missed is how important it is not just to keep up to date with security updates, but that it’s essential to run a recent version of macOS which gets the benefit of XProtect Remediator, and to keep up to date with security data updates too. I suppose that was just too nuanced for the silly season, though.

14Comments

Add yours

1

rfog926695139 on August 20, 2022 at 8:14 am

AFAIK, the WebKit one is a not initialized pointer in some collections in JS code, that could allow to execute absolutely arbitrary code as easy as put the desired address in right memory position and then call one of the collection. If you can chain this issue with the kernel one, well, SYSTEM access for any thing you wanted to do.

LikeLiked by 1 person
- 2
  
  rfog926695139 on August 20, 2022 at 8:19 am
  
  … And what I wonder is what kind of developers/reviewers Apple has. Not using auto-pointers and not running static C++ code analyzer, etc.. Paying bananas, getting monkeys.
  
  LikeLiked by 1 person
  - 3
    
    hoakley on August 20, 2022 at 8:34 am
    
    Could you not be as insulting of Google, Microsoft, and every other major software developer?
    Apple has more than 10,000 engineering teams. Inevitably, some engineers are better than others. But to accuse them all of being monkeys is arrogant and insulting, don’t you think?
    If you are so much better, why don’t you go and work for Apple? It pays exceedingly well, and has been actively recruiting for many of its teams.
    Howard.
    
    LikeLiked by 2 people
    - 4
      
      rfog926695139 on August 20, 2022 at 9:15 am
      
      Howard, this your (and mine) are opinions. A not-initialized pointer is a thing that is even detected by the compiler if configured with the right options (at least Visual Studio does). Said that, nobody run a static code analyzer before release? Perhaps the monkey is not the developer, perhaps the monkey is the code reviewer… Or there are no code reviewer and then the monkey is the manager. Or perhaps there is no manager and the monkey is the development-head. Or perhaps is Timm Cook, that is most centered in giving more and more earnings to the investors than in the products themselves. What I’m completely sure is there are some monkeys there.
      
      And not, I’m not better than anybody, but I’ve never had this kind of mistakes.
      
      LikeLiked by 1 person
    - 5
      
      hoakley on August 20, 2022 at 6:59 pm
      
      Well, as far as I can tell this wasn’t simply an uninitialised pointer. Not only that, but this is in open source too, which had undergone extensive review. Perhaps we’re all monkeys then?
      I’ve only been coding for Macs for 33 years, and for other systems for a few years before that. The longer I code, the more I realise that we all make these kinds of mistakes, even with ‘safer’ languages and tools to prevent such bugs. All they do is reduce their frequency, they don’t eliminate them, and being gratuitously insulting about anyone is completely inappropriate. We should learn the humility to say that, sooner or later, we too do make the same mistakes.
      Howard.
      
      LikeLiked by 2 people
- 6
  
  hoakley on August 20, 2022 at 8:30 am
  
  Are you certain that is the bug in WebKit? Apple’s description reads a bit different to me: “An out-of-bounds write issue was addressed with improved bounds checking”.
  And how does that differ from many of the 50 bugs fixed in 12.5? What has been exploiting that vulnerability?
  The problem here is leaping to conclusions for which we have literally no evidence.
  Howard.
  
  LikeLike
  - 7
    
    rfog926695139 on August 20, 2022 at 9:10 am
    
    That’s why I started with “IMHO”. I’m basing the info in the patch that Apple did for Firefox the same day it released their own CVE.
    
    LikeLiked by 1 person
8

Alan Ralph on August 20, 2022 at 10:05 am

I don’t watch the news on TV these days, but this was on the radio a *lot* the last few days! I have to wonder if part of the reason it got the coverage was because a lot of journalists have iPhones or other Apple devices (since they can, I suspect, easily afford them)?

LikeLiked by 1 person
- 9
  
  hoakley on August 20, 2022 at 7:01 pm
  
  Thank you.
  I suspect that this fed through from some of the alarmist reports in the so-called specialist press, coupled with the usual shortage of real news when the politicians are on holiday and don’t care.
  Howard.
  
  LikeLiked by 1 person
10

Lynn Cox on August 20, 2022 at 5:16 pm

Ah the “news”. My local TV station reported it on Friday evening as an ‘Oh my god you better update!’ NOW!!! report. Gee, where were they on Wednesday when it was released? Not news. Just blather. Shows how out of touch the non tech-media has become. I read an article that mentioned when the big TV media required that the newsroom show a profit it was the death-knell for responsible journalism. Pretty faces and empty heads. “These aren’t the droids you are looking for”

LikeLiked by 1 person
- 11
  
  Alan Ralph on August 20, 2022 at 6:37 pm
  
  I’ve pretty much stopped watching the news on TV or reading news websites, I occasionally catch the headlines on the radio, otherwise I let the news that matters come to me. Most of the rest is noise at best, soul-destroying at worst. A special place in Hell is reserved for those who came up with 24-hour news. (My late father worked for ITN here in the UK as an engineer for many years and saw how the sausage was made. Suffice to say he had a dim view of most journalists and newsroom management.)
  
  LikeLiked by 1 person
12

ericrfmwp on August 20, 2022 at 8:08 pm

I’m another who doesn’t watch the news that often, but when friends and relatives call me (in a mild panic) to update everything right away or else the universe will implode, I tuned in. Local news had an inordinately long piece about it. They even tried to get in some of the details, which were maybe partly accurate.

To the point, I was asking myself, very loudly, “What is the big deal with this?!?!? I heard about this days ago!” I’ll blame Twitter… that usually works and is often accurate. 🤪

LikeLiked by 1 person
13

Ken Burns Effect on September 19, 2022 at 8:53 am

“and to keep up to date with security data updates too”

Do you by “security data” mean virus definitions and such?

LikeLiked by 1 person
- 14
  
  hoakley on September 19, 2022 at 8:55 am
  
  Yes: what’s referred to in Software Update as system data files and security updates.
  Howard
  
  LikeLike

·Comments are closed.

Share this:

Like this:

Related