Apple Fixes 30 Cybersecurity Vulnerabilities in iOS 16.2 and iPadOS 16.2

Niranjan Maharajh

December 14, 2022

•

min read

Are you a manufacturer of a medical device or an accessory to a medical device that using iOS or iPadOS as part of your software data chain? The iOS 16.2 and iPadOS 16.2 updates that Apple released today include fixes for more than 30 vulnerabilities! Update as soon as possible!

Apple addressed issues with everything from the Graphics Driver to WebKit to the kernel, along with vulnerabilities in Safari, Weather, Photos and more.

The vulnerabilities fixed listed below. You can research the details on all these vulnerabilities for free at postmarketmonitor.com:

Accounts

Impact: A user may be able to view sensitive user information

CVE-2022-42843: Mickey Jin (@patch1t)

AppleAVD

Impact: Parsing a maliciously crafted video file may lead to kernel code execution

CVE-2022-46694: Andrey Labunets and Nikita Tarakanov

AppleMobileFileIntegrity

Impact: An app may be able to bypass Privacy preferences

CVE-2022-42865: Wojciech Reguła (@_r3ggi) of SecuRing

AVEVideoEncoder

Impact: An app may be able to execute arbitrary code with kernel privileges

CVE-2022-42848: ABC Research s.r.o

CoreServices

Impact: An app may be able to bypass Privacy preferences

CVE-2022-42859: Mickey Jin (@patch1t), Csaba Fitzl (@theevilbit) of Offensive Security

GPU Drivers

Impact: An app may be able to disclose kernel memory

CVE-2022-46702: Xia0o0o0o of W4terDr0p, Sun Yat-sen University

Graphics Driver

Impact: An app may be able to execute arbitrary code with kernel privileges

CVE-2022-42850: Willy R. Vasquez of The University of Texas at Austin

Graphics Driver

Impact: Parsing a maliciously crafted video file may lead to unexpected system termination

CVE-2022-42846: Willy R. Vasquez of The University of Texas at Austin

ImageIO

Impact: Processing a maliciously crafted file may lead to arbitrary code execution

CVE-2022-46693: Mickey Jin (@patch1t)

ImageIO

Impact: Parsing a maliciously crafted TIFF file may lead to disclosure of user information

CVE-2022-42851: Mickey Jin (@patch1t)

IOHIDFamily

Impact: An app may be able to execute arbitrary code with kernel privileges

CVE-2022-42864: Tommy Muir (@Muirey03)

IOMobileFrameBuffer

Impact: An app may be able to execute arbitrary code with kernel privileges

CVE-2022-46690: John Aakerblom (@jaakerblom)

iTunes Store

Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution

CVE-2022-42837: Weijia Dai (@dwj1210) of Momo Security

Kernel

Impact: An app may be able to execute arbitrary code with kernel privileges

CVE-2022-46689: Ian Beer of Google Project Zero

Kernel

Impact: Connecting to a malicious NFS server may lead to arbitrary code execution with kernel privileges

CVE-2022-46701: Felix Poulin-Belanger

Kernel

Impact: A remote user may be able to cause kernel code execution

CVE-2022-42842: pattern-f (@pattern_F_) of Ant Security Light-Year Lab

Kernel

Impact: An app may be able to break out of its sandbox

CVE-2022-42861: pattern-f (@pattern_F_) of Ant Security Light-Year Lab

Kernel

Impact: An app may be able to break out of its sandbox

CVE-2022-42844: pattern-f (@pattern_F_) of Ant Security Light-Year Lab

Kernel

Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges

CVE-2022-42845: Adam Doupé of ASU SEFCOM

Photos

Impact: Shake-to-undo may allow a deleted photo to be re-surfaced without authentication

CVE-2022-32943: an anonymous researcher

ppp

Impact: An app may be able to execute arbitrary code with kernel privileges

CVE-2022-42840: an anonymous researcher

Preferences

Impact: An app may be able to use arbitrary entitlements

CVE-2022-42855: Ivan Fratric of Google Project Zero

Printing

Impact: An app may be able to bypass Privacy preferences

CVE-2022-42862: Mickey Jin (@patch1t)

Safari

Impact: Visiting a website that frames malicious content may lead to UI spoofing

CVE-2022-46695: KirtiKumar Anandrao Ramchandani

Software Update

Impact: A user may be able to elevate privileges

CVE-2022-42849: Mickey Jin (@patch1t)

Weather

Impact: An app may be able to read sensitive location information

CVE-2022-42866: an anonymous researcher

WebKit

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

CVE-2022-42867: Maddie Stone of Google Project Zero

WebKit

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

CVE-2022-46691: an anonymous researcher

WebKit

Impact: Processing maliciously crafted web content may bypass Same Origin Policy

CVE-2022-46692: KirtiKumar Anandrao Ramchandani

WebKit

Impact: Processing maliciously crafted web content may result in the disclosure of process memory

CVE-2022-42852: hazbinhotel working with Trend Micro Zero Day Initiative

WebKit

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

CVE-2022-46696: Samuel Groß of Google V8 Security

CVE-2022-46700: Samuel Groß of Google V8 Security

WebKit

Impact: Processing maliciously crafted web content may disclose sensitive user information

CVE-2022-46698: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs & DNSLab, Korea Univ.

WebKit

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

CVE-2022-46699: Samuel Groß of Google V8 Security

CVE-2022-42863: an anonymous researcher

‍

Niranjan Maharajh

Enhancing Cybersecurity for Legacy Medical Devices: Navigating Post-Market Challenges and Strategies

The healthcare sector faces a unique challenge in managing the cybersecurity of legacy medical devices. These devices, often operating beyond their intended lifespan, are integral to patient care but lag in modern security protocols, making them susceptible to cyber threats.

Cyberattacks in Connected Healthcare: 3 Actions to Protect Your Devices

Audio is generated by DropInBlog's AI and may have slight pronunciation nuances. Learn more In today's digital healthcare era, the threat of cyberattacks on connected medical devices is escalating. Recent cyberattacks in connected healthcare highlight the vulnerability of devices like pacemakers and insulin pumps to hacking, posing significant health risks.

Conquer Medical Device Cybersecurity Gap Assessment

In today's increasingly connected healthcare landscape, medical devices play a vital role, directly impacting patient well-being. However, their reliance on software and connectivity exposes them to potential cyberattacks. Mitigating these risks requires robust cybersecurity measures throughout the device lifecycle, from pre-market development to post-market monitoring. This blog post equips you with a comprehensive cybersecurity gap assessment framework to evaluate your medical device's cybersecurity posture, ensuring compliance and minimizing risks.