Apple Patches Everything
Trying something a bit new here. Please let me know if this works for you.
Yesterday, Apple released security updates across its spectrum of operating systems. Apple tends to release these updates all at the same time. Targeting more enthusiasts and home users with its products, Apple is missing a lot of the details that commercial/enterprise users are looking for. The table below is an attempt to help you out a bit in identifying which vulnerabilities affect which operating system, and how severe they are.
There is no option to pick and choose which vulnerabilities to fix.
Noteworthy Vulnerabilities:
CVE-2022-22587: The vulnerability has already been exploited in the wild.
CVE-2022-22594: IndexDB same original policy violation. This vulnerability has been public for at least a week.
To indicate severity, I labeled vulnerabilities as:
Critical (red): Remote code execution (includes vulnerabilities that require a file download)
Important (yellow): Privilege Escalation
Other (blue): Security Feature Bypass
| Safari | Catalina | BigSur | Monterey | tvOS | iOS | iPadOS | watchOS |
|---|---|---|---|---|---|---|---|
| CVE-2022-22590 [critical] WebKit A use after free issue was addressed with improved memory management. Processing maliciously crafted web content may lead to arbitrary code execution |
|||||||
| x | x | x | x | x | x | ||
| CVE-2022-22592 [other] WebKit A logic issue was addressed with improved state management. Processing maliciously crafted web content may prevent Content Security Policy from being enforced |
|||||||
| x | x | x | x | x | x | ||
| CVE-2022-22589 [critical] WebKit A validation issue was addressed with improved input sanitization. Processing a maliciously crafted mail message may lead to running arbitrary javascript |
|||||||
| x | x | x | x | x | x | ||
| CVE-2022-22594 [critical] WebKit Storage A cross-origin issue in the IndexDB API was addressed with improved input validation. A website may be able to track sensitive user information |
|||||||
| CVE-2022-22593 [important] Kernel A buffer overflow issue was addressed with improved memory handling. A malicious application may be able to execute arbitrary code with kernel privileges |
|||||||
| x | x | x | x | x | x | x | |
| CVE-2022-22579 [critical] Model I/O An information disclosure issue was addressed with improved state management. Processing a maliciously crafted STL file may lead to unexpected application termination or arbitrary code execution |
|||||||
| x | x | x | x | x | x | ||
| CVE-2022-22583 [important] PackageKit A permissions issue was addressed with improved validation. An application may be able to access restricted files |
|||||||
| x | x | x | |||||
| CVE-2021-30946 [other] Sandbox A logic issue was addressed with improved restrictions. A malicious application may be able to bypass certain Privacy preferences |
|||||||
| x | |||||||
| CVE-2021-30960 [important] Audio A buffer overflow issue was addressed with improved memory handling. Parsing a maliciously crafted audio file may lead to the disclosure of user information |
|||||||
| x | |||||||
| CVE-2022-22585 [other] iCloud An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization. An application may be able to access a user's files |
|||||||
| x | x | x | x | x | x | ||
| CVE-2022-22587 [important] IOMobileFrameBuffer A memory corruption issue was addressed with improved input validation. A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited. |
|||||||
| x | x | x | x | ||||
| CVE-2022-22586 [important] AMD Kernel An out-of-bounds write issue was addressed with improved bounds checking. A malicious application may be able to execute arbitrary code with kernel privileges |
|||||||
| x | |||||||
| CVE-2022-22584 [critical] ColorSync A memory corruption issue was addressed with improved validation. Processing a maliciously crafted file may lead to arbitrary code execution |
|||||||
| x | x | x | x | x | |||
| CVE-2022-22578 [important] Crash Reporter A logic issue was addressed with improved validation. A malicious application may be able to gain root privileges |
|||||||
| x | x | x | x | x | |||
| CVE-2022-22591 [important] Intel Graphics Driver A memory corruption issue was addressed with improved memory handling. A malicious application may be able to execute arbitrary code with kernel privileges |
|||||||
| x | |||||||
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 13th - Dec 18th 2024 |
Comments
Anonymous
Jan 27th 2022
2 years ago
Anonymous
Jan 28th 2022
2 years ago
Can I suggest a slightly different layout.
Column 1 CVE
Column 2 Description
Column 3 Severity
Column 4 - 11 the OS effected
Along the lines of the table used to document the Windows updates on patch Tuesday.
Anonymous
Jan 28th 2022
2 years ago