The big news in the iPhone world today is the launch of iOS 16.2, but older phone users also have a big reason to update. Apple has released iOS 15.7.2 and iPadOS 15.7.2 for devices that don’t run iOS 16, specifically the iPhone 6s and 7, iPad mini 4, and iPad Air 2. It’s also available for newer iPhones that have already made the jump to iOS 16.
To update your iPhone, go to the Settings app and tap Generalthen Software update. Then tap Download and install and follow the directions.
The update contains no new features, but it does contain bug fixes and numerous important security updates, several of which allow arbitrary code execution and at least one of which may have been actively exploited. Apple’s release notes only state, “This update provides important security fixes and is recommended for all users.” Here are the posted security updates for this release:
AppleAVD
- Influence: Parsing a maliciously crafted video file may lead to kernel code execution
- Description: An out-of-bounds write issue was addressed through improved input validation.
- CVE-2022-46694: Andrey Labunets and Nikita Tarakanov
AVE Video Encoder
- Influence: An app may be able to execute arbitrary code with kernel privileges
- Description: A logic issue was addressed through improved checks.
- CVE-2022-42848: ABC Research sro
File system
- Influence: An app may be able to break out of the sandbox
- Description: This issue was addressed through improved checks.
- CVE-2022-42861: pattern-f (@pattern_F_) from Ant Security Light-Year Lab
Graphics driver
- Influence: Parsing a maliciously crafted video file may lead to an unexpected system termination
- Description: The issue was addressed through improved memory handling.
- CVE-2022-42846: Willy R. Vasquez of the University of Texas at Austin
IOHID Family
- Influence: An app may be able to execute arbitrary code with kernel privileges
- Description: A race condition was addressed through improved status handling.
- CVE-2022-42864: Tommy Muir (@Muirey03)
iTunes store
- Influence: A remote user could potentially cause an unexpected app termination or arbitrary code execution
- Description: There was a problem parsing URLs. This issue was addressed through improved input validation.
- CVE-2022-42837: Weijia Dai (@dwj1210) from Momo Security
Kernel
- Influence: An app may be able to execute arbitrary code with kernel privileges
- Description: A race condition has been fixed with additional validation.
- CVE-2022-46689: Ian Beer of Google Project Zero
libxml2
- Influence: A remote user could potentially cause an unexpected app termination or arbitrary code execution
- Description: An integer overflow was addressed through improved input validation.
- CVE-2022-40303: Maddie Stone from Google Project Zero
libxml2
- Influence: A remote user could potentially cause an unexpected app termination or arbitrary code execution
- Description: This issue was addressed through improved checks.
- CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project Zero
ppp
- Influence: An app may be able to execute arbitrary code with kernel privileges
- Description: The issue was addressed through improved memory handling.
- CVE-2022-42840: an anonymous researcher
Preferences
- Influence: An app may be able to use arbitrary permissions
- Description: A logic issue was addressed through improved state management.
- CVE-2022-42855: Ivan Fratric of Google Project Zero
Safari
- Influence: Visiting a website that contains malicious content can lead to UI spoofing
- Description: There was a spoofing issue in URL handling. This issue was addressed through improved input validation.
- CVE-2022-46695: Kirti Kumar Anandrao Ramchandani
WebKit
- Influence: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: A memory usage issue was addressed through improved memory handling.
- CVE-2022-46691: an anonymous researcher
WebKit
- Influence: Processing maliciously crafted web content may result in the disclosure of process memory
- Description: The issue was addressed through improved memory handling.
- CVE-2022-42852: hazbinhotel partners with Trend Micro Zero Day Initiative
WebKit
- Influence: Processing maliciously crafted web content can bypass the Same Origin policy
- Description: A logic issue was addressed through improved state management.
- CVE-2022-46692: Kirti Kumar Anandrao Ramchandani
WebKit
- Influence: Processing maliciously crafted web content may lead to arbitrary code execution
- Description: A memory corruption issue was addressed through improved input validation.
- CVE-2022-46700: Samuel Gross of Google V8 Security
WebKit
- Influence: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released prior to iOS 15.1.
- Description: A type confusion issue has been addressed through improved status handling.
- CVE-2022-42856: Clément Lecigne of Google’s Threat Analysis Group
