Apple releases iOS 15.7.2 with more than a dozen critical security updates

The big news int he iPhone world today is the launch of iOS 16.2, but users of older phones have an important reason to update as well. Apple has released iOS 15.7.2 and iPadOS 15.7.2 for devices that aren’t on iOS 16, most notably the iPhone 6s and 7, iPad mini 4 and iPad Air 2. It’s also available for newer iPhones that haven’t made the leap to iOS 16 yet.

To update your iPhone, head over to the Settings app and tap General, then Software Update. Then tap Download and Install and follow the prompts.

The update doesn’t include any new features, but it does contain bug fixes and numerous important security updates, several of which allow for arbitrary code execution and at least one of which that may have been actively exploited. Apple’s release notes merely state, “This update provides important security fixes and is recommended for all users.” Here are the posted security updates for this release:

AppleAVD

Impact: Parsing a maliciously crafted video file may lead to kernel code executionDescription: An out-of-bounds write issue was addressed with improved input validation.CVE-2022-46694: Andrey Labunets and Nikita Tarakanov

AVEVideoEncoder

Impact: An app may be able to execute arbitrary code with kernel privilegesDescription: A logic issue was addressed with improved checks.CVE-2022-42848: ABC Research s.r.o

File System

Impact: An app may be able to break out of its sandboxDescription: This issue was addressed with improved checks.CVE-2022-42861: pattern-f (@pattern_F_) of Ant Security Light-Year Lab

Graphics Driver

Impact: Parsing a maliciously crafted video file may lead to unexpected system terminationDescription: The issue was addressed with improved memory handling.CVE-2022-42846: Willy R. Vasquez of The University of Texas at Austin

IOHIDFamily

Impact: An app may be able to execute arbitrary code with kernel privilegesDescription: A race condition was addressed with improved state handling.CVE-2022-42864: Tommy Muir (@Muirey03)

iTunes Store

Impact: A remote user may be able to cause unexpected app termination or arbitrary code executionDescription: An issue existed in the parsing of URLs. This issue was addressed with improved input validation.CVE-2022-42837: Weijia Dai (@dwj1210) of Momo Security

Kernel

Impact: An app may be able to execute arbitrary code with kernel privilegesDescription: A race condition was addressed with additional validation.CVE-2022-46689: Ian Beer of Google Project Zero

libxml2

Impact: A remote user may be able to cause unexpected app termination or arbitrary code executionDescription: An integer overflow was addressed through improved input validation.CVE-2022-40303: Maddie Stone of Google Project Zero

libxml2

Impact: A remote user may be able to cause unexpected app termination or arbitrary code executionDescription: This issue was addressed with improved checks.CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project Zero

ppp

Impact: An app may be able to execute arbitrary code with kernel privilegesDescription: The issue was addressed with improved memory handling.CVE-2022-42840: an anonymous researcher

Preferences

Impact: An app may be able to use arbitrary entitlementsDescription: A logic issue was addressed with improved state management.CVE-2022-42855: Ivan Fratric of Google Project Zero

Safari

Impact: Visiting a website that frames malicious content may lead to UI spoofingDescription: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.CVE-2022-46695: KirtiKumar Anandrao Ramchandani

WebKit

Impact: Processing maliciously crafted web content may lead to arbitrary code executionDescription: A memory consumption issue was addressed with improved memory handling.CVE-2022-46691: an anonymous researcher

WebKit

Impact: Processing maliciously crafted web content may result in the disclosure of process memoryDescription: The issue was addressed with improved memory handling.CVE-2022-42852: hazbinhotel working with Trend Micro Zero Day Initiative

WebKit

Impact: Processing maliciously crafted web content may bypass Same Origin PolicyDescription: A logic issue was addressed with improved state management.CVE-2022-46692: KirtiKumar Anandrao Ramchandani 

WebKit

Impact: Processing maliciously crafted web content may lead to arbitrary code executionDescription: A memory corruption issue was addressed with improved input validation.CVE-2022-46700: Samuel Groß of Google V8 Security

WebKit

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1.Description: A type confusion issue was addressed with improved state handling.CVE-2022-42856: Clément Lecigne of Google’s Threat Analysis Group

iOS