iOS 15.7.5/ iOS 16.4
Lookout Coverage and Recommendation for Admins
To ensure your devices aren’t exposed through the vulnerabilities in iOS 15.7.5 and earlier or upto 16.4 in iOS 16 series, Lookout admins should set default OS Out of Date policy to have a minimum iOS version of 16.5 for applicable models. They can then choose whether to alert the user that the device is out of compliance or block access to enterprise resources until iOS is updated.
In addition to requiring a minimum OS, admins should enable Lookout Phishing & Content Protection (PCP) to protect mobile users from malicious phishing campaigns that are built to exploit these vulnerabilities in order to phish credentials or deliver malicious apps to the device. Finally, Lookout will detect if an attacker is successfully able to compromise the device at the OS level.
Overview
Apple recently released two critical updates for iOS with heavy security implications. iOS 16.5 and iOS 15.7.6 patch a combined 56 issues, which include 3 critical webkit vulnerabilities. Not only are these actively exploited zero-day vulnerabilities, but they also made it to the CISA list of mandatory fixes for the government organizations.
Two of these critical webkit vulnerabilities were included in the latest Rapid Security Response (RSR), which is Apple’s new system of delivering security patches to devices running the latest version of iOS. It is important to note that all the fixes of the RSR released on May 01,2023 have been rolled into the latest OS releases. Apple did not disclose the security content of the RSR until the latest OS release. In order to ensure protection, users should update all Apple devices to the latest OS version.
Lookout Analysis
Since these vulnerabilities are actively exploitable, remotely executable, and mentioned by CISA as required patches for government organizations, it is critical that every organization ensure its devices are up to date. The three critical webkit-related CVEs are:
- CVE-2023-32409 : A remote attacker may be able to break out of Web Content sandbox
- CVE-2023-28204 : Processing web content may disclose sensitive information
- CVE-2023-32373 : Processing maliciously crafted web content may lead to arbitrary code execution
It should be noted that CVE-2023-28204 and CVE-2023-32373 were fixed in patch 16.4.1(a) — an RSR released in May. For enterprise organizations, it’s always good to follow suit when CISA finds something critical enough that government organizations should patch it. As has been observed in the past, cyber attacks that target government often target businesses further down the line.
Authors
Lookout
Lookout is a cybersecurity company that makes it possible for tens of millions of individuals, enterprises and government agencies to be both mobile and secure. Powered by a dataset of virtually all the mobile code in the world -- 40 million apps and counting -- the Lookout Security Cloud can identify connections that would otherwise go unseen and predict and stop mobile attacks before they do harm. The world’s leading mobile network operators, including AT&T, Deutsche Telekom, EE, KDDI, Orange, Sprint, T-Mobile and Telstra, have selected Lookout as its preferred mobile security solution. Lookout is also partnered with such enterprise leaders as AirWatch, Ingram Micro, Microsoft, and MobileIron. Headquartered in San Francisco, Lookout has offices in Amsterdam, Boston, London, Sydney, Tokyo, Toronto and Washington, D.C.
Identify and Prevent Threats with Lookout Threat Advisory
Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.
Lookout Threat Advisory offers advanced mobile threat intelligence, leveraging millions of devices in our global network and top security research insights to protect your organization.
