what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Apple Security Advisory 2022-12-13-7

Apple Security Advisory 2022-12-13-7
Posted Dec 22, 2022
Authored by Apple | Site apple.com

Apple Security Advisory 2022-12-13-7 - tvOS 16.2 addresses bypass, code execution, integer overflow, out of bounds write, spoofing, and use-after-free vulnerabilities.

tags | advisory, overflow, spoof, vulnerability, code execution
systems | apple
advisories | CVE-2022-40303, CVE-2022-40304, CVE-2022-42842, CVE-2022-42843, CVE-2022-42845, CVE-2022-42848, CVE-2022-42849, CVE-2022-42851, CVE-2022-42852, CVE-2022-42855, CVE-2022-42856, CVE-2022-42863, CVE-2022-42864, CVE-2022-42865
SHA-256 | 74ff4e02487d4bc615b6697e750a64c98e8fc416e7a5b739eed037fe127f069f

Apple Security Advisory 2022-12-13-7

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2022-12-13-7 tvOS 16.2

tvOS 16.2 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213535.

Accounts
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),
and Apple TV HD
Impact: A user may be able to view sensitive user information
Description: This issue was addressed with improved data protection.
CVE-2022-42843: Mickey Jin (@patch1t)

AppleAVD
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),
and Apple TV HD
Impact: Parsing a maliciously crafted video file may lead to kernel
code execution
Description: An out-of-bounds write issue was addressed with improved
input validation.
CVE-2022-46694: Andrey Labunets and Nikita Tarakanov

AppleMobileFileIntegrity
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),
and Apple TV HD
Impact: An app may be able to bypass Privacy preferences
Description: This issue was addressed by enabling hardened runtime.
CVE-2022-42865: Wojciech Reguła (@_r3ggi) of SecuRing

AVEVideoEncoder
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),
and Apple TV HD
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: A logic issue was addressed with improved checks.
CVE-2022-42848: ABC Research s.r.o

ImageIO
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),
and Apple TV HD
Impact: Processing a maliciously crafted file may lead to arbitrary
code execution
Description: An out-of-bounds write issue was addressed with improved
input validation.
CVE-2022-46693: Mickey Jin (@patch1t)

ImageIO
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),
and Apple TV HD
Impact: Parsing a maliciously crafted TIFF file may lead to
disclosure of user information
Description: The issue was addressed with improved memory handling.
CVE-2022-42851: Mickey Jin (@patch1t)

IOHIDFamily
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),
and Apple TV HD
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: A race condition was addressed with improved state
handling.
CVE-2022-42864: Tommy Muir (@Muirey03)

IOMobileFrameBuffer
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),
and Apple TV HD
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: An out-of-bounds write issue was addressed with improved
input validation.
CVE-2022-46690: John Aakerblom (@jaakerblom)

Kernel
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),
and Apple TV HD
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: A race condition was addressed with additional
validation.
CVE-2022-46689: Ian Beer of Google Project Zero

Kernel
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),
and Apple TV HD
Impact: Connecting to a malicious NFS server may lead to arbitrary
code execution with kernel privileges
Description: The issue was addressed with improved bounds checks.
CVE-2022-46701: Felix Poulin-Belanger

Kernel
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),
and Apple TV HD
Impact: A remote user may be able to cause kernel code execution
Description: The issue was addressed with improved memory handling.
CVE-2022-42842: pattern-f (@pattern_F_) of Ant Security Light-Year
Lab

Kernel
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),
and Apple TV HD
Impact: An app with root privileges may be able to execute arbitrary
code with kernel privileges
Description: The issue was addressed with improved memory handling.
CVE-2022-42845: Adam Doupé of ASU SEFCOM

libxml2
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),
and Apple TV HD
Impact: A remote user may be able to cause unexpected app termination
or arbitrary code execution
Description: An integer overflow was addressed through improved input
validation.
CVE-2022-40303: Maddie Stone of Google Project Zero

libxml2
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),
and Apple TV HD
Impact: A remote user may be able to cause unexpected app termination
or arbitrary code execution
Description: This issue was addressed with improved checks.
CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project
Zero

Preferences
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),
and Apple TV HD
Impact: An app may be able to use arbitrary entitlements
Description: A logic issue was addressed with improved state
management.
CVE-2022-42855: Ivan Fratric of Google Project Zero

Safari
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),
and Apple TV HD
Impact: Visiting a website that frames malicious content may lead to
UI spoofing
Description: A spoofing issue existed in the handling of URLs. This
issue was addressed with improved input validation.
CVE-2022-46695: KirtiKumar Anandrao Ramchandani

Software Update
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),
and Apple TV HD
Impact: A user may be able to elevate privileges
Description: An access issue existed with privileged API calls. This
issue was addressed with additional restrictions.
CVE-2022-42849: Mickey Jin (@patch1t)

Weather
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),
and Apple TV HD
Impact: An app may be able to read sensitive location information
Description: The issue was addressed with improved handling of
caches.
CVE-2022-42866: an anonymous researcher

WebKit
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),
and Apple TV HD
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A use after free issue was addressed with improved
memory management.
WebKit Bugzilla: 245521
CVE-2022-42867: Maddie Stone of Google Project Zero

WebKit
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),
and Apple TV HD
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory consumption issue was addressed with improved
memory handling.
WebKit Bugzilla: 245466
CVE-2022-46691: an anonymous researcher

WebKit
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),
and Apple TV HD
Impact: Processing maliciously crafted web content may bypass Same
Origin Policy
Description: A logic issue was addressed with improved state
management.
WebKit Bugzilla: 246783
CVE-2022-46692: KirtiKumar Anandrao Ramchandani

WebKit
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),
and Apple TV HD
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: The issue was addressed with improved memory handling.
CVE-2022-42852: hazbinhotel working with Trend Micro Zero Day
Initiative

WebKit
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),
and Apple TV HD
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed with improved
input validation.
WebKit Bugzilla: 246942
CVE-2022-46696: Samuel Groß of Google V8 Security
WebKit Bugzilla: 247562
CVE-2022-46700: Samuel Groß of Google V8 Security

WebKit
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),
and Apple TV HD
Impact: Processing maliciously crafted web content may disclose
sensitive user information
Description: A logic issue was addressed with improved checks.
CVE-2022-46698: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs
& DNSLab, Korea Univ.

WebKit
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),
and Apple TV HD
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A memory corruption issue was addressed with improved
state management.
WebKit Bugzilla: 247420
CVE-2022-46699: Samuel Groß of Google V8 Security
WebKit Bugzilla: 244622
CVE-2022-42863: an anonymous researcher

WebKit
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),
and Apple TV HD
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Apple is aware of a report that this issue
may have been actively exploited against versions of iOS released
before iOS 15.1.
Description: A type confusion issue was addressed with improved state
handling.
WebKit Bugzilla: 248266
CVE-2022-42856: Clément Lecigne of Google's Threat Analysis Group

Additional recognition

Kernel
We would like to acknowledge Zweig of Kunlun Lab for their
assistance.

Safari Extensions
We would like to acknowledge Oliver Dunk and Christian R. of
1Password for their assistance.

WebKit
We would like to acknowledge an anonymous researcher and scarlet for
their assistance.

Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting "Settings ->
System -> Software Update -> Update Software." To check the current
version of software, select "Settings -> General -> About."
All information is also posted on the Apple Security Updates
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmOZFX4ACgkQ4RjMIDke
NxkItA/+LIwJ66Odl7Uwp1N/qek5Z/TBuPKlbgTwRZGT3LBVMVmyHTBzebA88aNq
Pae1RKQ2Txw4w9Tb7a08eeqRQD51MBoSjTxf23tO1o0B1UR3Hgq3gsOSjh/dTq9V
Jvy4DpO15xdVHP3BH/li114JpgR+FoD5Du0rPffL01p6YtqeWMSvnRoCmwNcIqou
i2ZObfdrL2WJ+IiDIlMoJ3v+B1tDxOWR6Mn37iRdzl+QgrQMQtP9pSsiAPCntA+y
eFM5Hp0JlOMtCfA+xT+LRoZHCbjTCFMRlRbNffGvrNwwdTY4MXrSYlKcIo3yFT2m
KSHrQNvqzWhmSLAcHlUNo0lVvtPAlrgyilCYaeRNgRC1+x8KRf/AcErXr23oKknJ
lzIF6eVk1K3mxUmR+M+P8+cr14pbrUwJcQlm0In6/8fUulHtcElLE3fJ+HJVImx8
RtvNmuCng5iEK1zlwgDvAKO3EgMrMtduF8aygaCcBmt65GMkHwvOGCDXcIrKfH9U
sP4eY7V3t4CQd9TX3Vlmt47MwRTSVuUtMcQeQPhEUTdUbM7UlvtW8igrLvkz9uPn
CpuE2mzhd/dJANXvMFBR9A0ilAdJO1QD/uSWL+UbKq4BlyiW5etd8gObQfHqqW3C
sh0EwxLh4ATicRS9btAJMwIfK/ulYDWp4yuIsUamDj/sN9xWvXY=
=i2O9
-----END PGP SIGNATURE-----


Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close