Apple this week rolled out iOS 15.4, an incremental update that delivers not just new features and enhancements for iDevices, but also a legion of security fixes. iPhone and iPad owners are strongly advised to patch up ASAP.
Apart from the long list of improvements and new additions, iOS 15.4 quietly addresses a wide range of security flaws recently discovered by researchers.
As detailed in the advisory, the update addresses vulnerabilities in areas like Accelerate Framework, Cellular, FaceTime, CoreMedia, GPU Drivers, ImageIO, iTunes, Phone, Siri, SoftwareUpdate, Preferences and VoiceOver, as well as in core areas like WebKit and the underlying OS Kernel.
Some of the bugs addressed in this release are quite notable:
CVE-2022-22652
A person with physical access may be able to view and modify the carrier account information and settings from the lock screen. The GSMA authentication panel could be presented on the lock screen. The issue was resolved by requiring device unlock to interact with the GSMA authentication panel.
CVE-2022-22598
An app may be able to learn information about the current camera view before being granted camera access. The issue was addressed with improved logic.
CVE-2022-22642
A user may be able to bypass the Emergency SOS passcode prompt. The issue was addressed with improved checks.
CVE-2022-22643
A user may send audio and video in a FaceTime call without knowing that they have done so. The issue was addressed with improved checks.
CVE-2022-22653
A malicious website may be able to access information about the user and their devices. A logic issue was addressed with improved restrictions.
CVE-2022-22618
A user may be able to bypass the Emergency SOS passcode prompt. This issue was addressed with improved checks.
CVE-2022-22609
A malicious application may be able to read setting of other applications. The issue was addressed with additional permission checks.
CVE-2022-22600
A malicious application may be able to bypass certain Privacy preferences. The issue was addressed with improved permissions logic.
CVE-2022-22671
A person with physical access to an iOS device may be able to access photos from the lock screen. An authentication issue was addressed with improved state management.
None of the vulnerabilities described in the advisory are actually being exploited so far – at least not to Apple’s knowledge. However, with the cat now out of the bag, users should update to iOS 15.4 as soon as they can, before malicious actors start exploiting these weaknesses.
To do so, go to Settings -> General -> Software Update and follow the on-screen prompts to apply the patch.
A similar security update is available for Mac users, plus a bunch of security fixes for many other Apple products. If you’re an avid user of Apple gizmos and services, consult the full list of fixes available for your gear.