Apple releases iOS 15.7.2 with more than a dozen critical security updates

The big news int he iPhone world today is the launch of iOS 16.2, but users of older phones have an important reason to update as well. Apple has released iOS 15.7.2 and iPadOS 15.7.2 for devices that aren’t on iOS 16, most notably the iPhone 6s and 7, iPad mini 4 and iPad Air 2. It’s also available for newer iPhones that haven’t made the leap to iOS 16 yet.

To update your iPhone, head over to the Settings app and tap General, then Software Update. Then tap Download and Install and follow the prompts.

The update doesn’t include any new features, but it does contain bug fixes and numerous important security updates, several of which allow for arbitrary code execution and at least one of which that may have been actively exploited. Apple’s release notes merely state, “This update provides important security fixes and is recommended for all users.” Here are the posted security updates for this release:

AppleAVD

• Impact: Parsing a maliciously crafted video file may lead to kernel code execution
• Description: An out-of-bounds write issue was addressed with improved input validation.
• CVE-2022-46694: Andrey Labunets and Nikita Tarakanov

AVEVideoEncoder

• Impact: An app may be able to execute arbitrary code with kernel privileges
• Description: A logic issue was addressed with improved checks.
• CVE-2022-42848: ABC Research s.r.o

File System

• Impact: An app may be able to break out of its sandbox
• Description: This issue was addressed with improved checks.
• CVE-2022-42861: pattern-f (@pattern_F_) of Ant Security Light-Year Lab

Graphics Driver

• Impact: Parsing a maliciously crafted video file may lead to unexpected system termination
• Description: The issue was addressed with improved memory handling.
• CVE-2022-42846: Willy R. Vasquez of The University of Texas at Austin

IOHIDFamily

• Impact: An app may be able to execute arbitrary code with kernel privileges
• Description: A race condition was addressed with improved state handling.
• CVE-2022-42864: Tommy Muir (@Muirey03)

iTunes Store

• Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution
• Description: An issue existed in the parsing of URLs. This issue was addressed with improved input validation.
• CVE-2022-42837: Weijia Dai (@dwj1210) of Momo Security

Kernel

• Impact: An app may be able to execute arbitrary code with kernel privileges
• Description: A race condition was addressed with additional validation.
• CVE-2022-46689: Ian Beer of Google Project Zero

libxml2

• Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution
• Description: An integer overflow was addressed through improved input validation.
• CVE-2022-40303: Maddie Stone of Google Project Zero

libxml2

• Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution
• Description: This issue was addressed with improved checks.
• CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project Zero

ppp

• Impact: An app may be able to execute arbitrary code with kernel privileges
• Description: The issue was addressed with improved memory handling.
• CVE-2022-42840: an anonymous researcher

Preferences

• Impact: An app may be able to use arbitrary entitlements
• Description: A logic issue was addressed with improved state management.
• CVE-2022-42855: Ivan Fratric of Google Project Zero

Safari

• Impact: Visiting a website that frames malicious content may lead to UI spoofing
• Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.
• CVE-2022-46695: KirtiKumar Anandrao Ramchandani

WebKit

• Impact: Processing maliciously crafted web content may lead to arbitrary code execution
• Description: A memory consumption issue was addressed with improved memory handling.
• CVE-2022-46691: an anonymous researcher

WebKit

• Impact: Processing maliciously crafted web content may result in the disclosure of process memory
• Description: The issue was addressed with improved memory handling.
• CVE-2022-42852: hazbinhotel working with Trend Micro Zero Day Initiative

WebKit

• Impact: Processing maliciously crafted web content may bypass Same Origin Policy
• Description: A logic issue was addressed with improved state management.
• CVE-2022-46692: KirtiKumar Anandrao Ramchandani 

WebKit

• Impact: Processing maliciously crafted web content may lead to arbitrary code execution
• Description: A memory corruption issue was addressed with improved input validation.
• CVE-2022-46700: Samuel Groß of Google V8 Security

WebKit

• Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1.
• Description: A type confusion issue was addressed with improved state handling.
• CVE-2022-42856: Clément Lecigne of Google’s Threat Analysis Group