Apple on Monday released iOS 15.3 and iPadOS 15.3, the third major update for the operating systems for iPhone and iPad devices, respectively. The updates come almost two weeks after the release of iOS15.2.1 and iPadOS 15.2.1.
The new software can be downloaded on eligible devices over-the-air by going to “Settings” -> “General” -> “Software Update.”
Apple’s release notes say today’s update includes “bug fixes and security updates for your iPhone,” with Apple recommending the software for all users.
Apple has a full list of security updates on its website, but today’s iOS and iPadOS 15.3 updates target a recently publicized Safari exploit.
iOS 15.3 and iPadOS 15.3
Released January 26, 2022
ColorSync
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted file may lead to arbitrary code execution
Description: A memory corruption issue was addressed with improved validation.
CVE-2022-22584: Mickey Jin (@patch1t) of Trend Micro
Crash Reporter
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A malicious application may be able to gain root privileges
Description: A logic issue was addressed with improved validation.
CVE-2022-22578: an anonymous researcher
iCloud
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: An application may be able to access a user’s files
Description: An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization.
CVE-2022-22585: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (https://xlab.tencent.com)
IOMobileFrameBuffer
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
Description: A memory corruption issue was addressed with improved input validation.
CVE-2022-22587: an anonymous researcher, Meysam Firouzi (@R00tkitSMM) of MBition – Mercedes-Benz Innovation Lab, Siddharth Aeri (@b1n4r1b01)
Kernel
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A buffer overflow issue was addressed with improved memory handling.
CVE-2022-22593: Peter Nguyễn Vũ Hoàng of STAR Labs
Model I/O
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted STL file may lead to unexpected application termination or arbitrary code execution
Description: An information disclosure issue was addressed with improved state management.
CVE-2022-22579: Mickey Jin (@patch1t) of Trend Micro
WebKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted mail message may lead to running arbitrary javascript
Description: A validation issue was addressed with improved input sanitization.
CVE-2022-22589: Heige of KnownSec 404 Team (knownsec.com) and Bo Qu of Palo Alto Networks (paloaltonetworks.com)
WebKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A use after free issue was addressed with improved memory management.
CVE-2022-22590: Toan Pham from Team Orca of Sea Security (security.sea.com)
WebKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced
Description: A logic issue was addressed with improved state management.
CVE-2022-22592: Prakash (@1lastBr3ath)
WebKit Storage
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A website may be able to track sensitive user information
Description: A cross-origin issue in the IndexDB API was addressed with improved input validation.
CVE-2022-22594: Martin Bajanik of FingerprintJS
