• Home
  • iOS
  • iPadOS
  • News
  • Apple Releases iOS 15.3 and iPadOS 15.3 to Public – Fixes Safari Bug That Leaks Browsing Activity

Apple Releases iOS 15.3 and iPadOS 15.3 to Public – Fixes Safari Bug That Leaks Browsing Activity

Apple Releases iOS 15.3 and iPadOS 15.3 to Public – Fixes Safari Bug That Leaks Browsing Activity

Apple on Monday released iOS 15.3 and iPadOS 15.3, the third major update for the operating systems for iPhone and iPad devices, respectively. The updates come almost two weeks after the release of iOS15.2.1 and iPadOS 15.2.1.

The new software can be downloaded on eligible devices over-the-air by going to “Settings” -> “General” -> “Software Update.”

Apple’s release notes say today’s update includes “bug fixes and security updates for your iPhone,” with Apple recommending the software for all users.

Apple has a full list of security updates on its website, but today’s iOS and iPadOS 15.3 updates target a recently publicized Safari exploit.

iOS 15.3 and iPadOS 15.3

Released January 26, 2022

ColorSync

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing a maliciously crafted file may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved validation.

CVE-2022-22584: Mickey Jin (@patch1t) of Trend Micro

Crash Reporter

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may be able to gain root privileges

Description: A logic issue was addressed with improved validation.

CVE-2022-22578: an anonymous researcher

iCloud

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: An application may be able to access a user’s files

Description: An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization.

CVE-2022-22585: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (https://xlab.tencent.com)

IOMobileFrameBuffer

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Description: A memory corruption issue was addressed with improved input validation.

CVE-2022-22587: an anonymous researcher, Meysam Firouzi (@R00tkitSMM) of MBition – Mercedes-Benz Innovation Lab, Siddharth Aeri (@b1n4r1b01)

Kernel

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2022-22593: Peter Nguyễn Vũ Hoàng of STAR Labs

Model I/O

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing a maliciously crafted STL file may lead to unexpected application termination or arbitrary code execution

Description: An information disclosure issue was addressed with improved state management.

CVE-2022-22579: Mickey Jin (@patch1t) of Trend Micro

WebKit

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing a maliciously crafted mail message may lead to running arbitrary javascript

Description: A validation issue was addressed with improved input sanitization.

CVE-2022-22589: Heige of KnownSec 404 Team (knownsec.com) and Bo Qu of Palo Alto Networks (paloaltonetworks.com)

WebKit

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2022-22590: Toan Pham from Team Orca of Sea Security (security.sea.com)

WebKit

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced

Description: A logic issue was addressed with improved state management.

CVE-2022-22592: Prakash (@1lastBr3ath)

WebKit Storage

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: A website may be able to track sensitive user information

Description: A cross-origin issue in the IndexDB API was addressed with improved input validation.

CVE-2022-22594: Martin Bajanik of FingerprintJS