Apple Inc. is one of the largest technology corporations globally, and after years of gaining user trust and demonstrations of promoting strong internal privacy, they have managed to maintain a strong security stature across their Device Family. With the emergence of NFC and Apple Pay around 2014, the tech giants were flexing their Single-Use Token Protocol embedded within the Apple Pay ecosystem, demonstrating how security-focused the company is working to be.
They continue to do so in 2022 with the introduction of Merchant Tokens. They are used by Apple Pay to set up secure, rolling monthly payments to vendors. Making it easier for the end user to visualise their automatic monthly payments in the Apple Pay payment sheet, as well as generally improving the security of Monthly transactions by leveraging the Apple Pay API, Single-Use Tokens, and biometrics.
Though Apple Inc. is known to be a secretive and secure corporation, they develop software at its core and in doing so, inadvertently invites the potential for issues to arise in the development process. Bugs and Security Issues will always arise within the software development life cycle, and they will continuously be found in the wild for numerous reasons.
Unfortunately, there is currently no method that can guarantee a program, application, script, or Operating System will be coded and released with absolutely zero vulnerabilities or bugs. The code can be validated and stress tested to industry standards, but with the wide variety of Operating Systems and Device Hardware, there is no blanket solution for absolute Software Security.
Vulnerability: CVE-2022-42856
Generally, a Zero-Day Vulnerability is a previously unknown vulnerability discovered in the wild which is currently being exploited by threat actors without the vendor’s knowledge. As the vendor is not aware of the vulnerability, they will not have a patch to resolve the issue until the Zero-Day has been raised with the vendor and has been investigated by their internal security and software teams to find a cure for the vulnerability.
The vendor in this case is Apple Inc., and their Zero-Day was discovered within the web rendering engine, WebKit. The vulnerability is tracked as: CVE-2022-42856 and can be viewed on Apple’s Site. Apple have openly stated that they are aware that the issue may have been seen in a previous Apple Vulnerability Report and could affect devices with iOS versions earlier than iOS 15.1, and up-to iOS 16.1.1. The patch to resolve the issue is included in the 16.1.2 iOS update, which is currently available.
It is classed as a Type Confusion vulnerability, which can be triggered by the program allocating a resource to a single data type initially, the program then later utilises the same resource but by using an incompatible data type, this creates Type Confusion, a form of logic error. Logical errors can cause the program to malfunction or crash entirely. In this case, the vulnerability causes the program to malfunction, and allows the threat actor to execute arbitrary code on the target system.
The execution of arbitrary code can allow the threat actor to run commands on the target machine, which can result in no more than simple reconnaissance of the device and its system information, but it can also result in an all-out breach of the device, ultimately giving the threat actor control of the device and access to the private data securely stored within the device. The data harvested will more than probably come in the forms of: Corporate and Personal Emails, Images, Contacts Information, Sensitive Personal Data (DoB, address, etc), Security Logs, and more.
The Impact of Vulnerable Devices on a Corporate Network
Having a Vulnerable Device on a Corporate Network could spell catastrophe for a company, especially those who deal with highly sensitive client data. With the hefty financial impositions by the GDPR (2016) and the DPA (2018) for the mismanagement of sensitive data, companies simply cannot afford for data breaches to occur. Hence why it is vital, especially with mobile devices, to ensure they are kept up to date with Operating System and Software updates.
If a vulnerable device accesses the network and becomes infected, a threat actor may be able to leverage the opportunity to move laterally within the network. Seeking to afflict damage to internal services, create backdoors for future access, or gain access to a greater volume of sensitive data. Whether its exfiltration, contamination, or data observation, having a vulnerable device access sensitive data, or be on the corporate network, could be detrimental to the company, and potentially result in fines from the ICO.
Implementing a Mobile-Device-Management (MDM) solution will act as a layer of security for devices joining the network and enables access to sensitive company data from their device, securely. Intune is an example of MDM by Microsoft and is available for Business Premium License holders. Intune forces the end device to download a Company Portal application (from the AppStore or Google Play Store), which configures a secure company profile on the device, and allows access to company data securely. Compliance Policies are utilised to ensure that devices joining the network or having access to company data, are up to date by defining: a minimum OS version, PIN/Password complexity requirements, and a few other options.
At Texaport, we understand the importance of these advancements, and we work with our clients to put a reliable system in place to improve their business efficiency. Our team has a wide range of IT knowledge and remains acquainted with the movements in the IT industry. Find out more here.
