User profile for user: arne145
arne145 Author
User level: Level 1
5 points

Re: iOS 16.1.1 Why/how does Android fix apply to iOS on Apple devices?

From:

About the security content of iOS 16.1.1 and iPadOS 16.1.1 - Apple Support


Question:

Why does an Android bug fix apply to iOS and become part of Apple software running on Apple hardware?

a) Apple hardware incorporates Android hardware or similar and is vulnerable in the same way,

b) Google does not update its own cross-platform software, forcing Apple to do it,

c) iOS is based on Android.

d) Android is based on iOS. < this is fun

e) Apple hardware and software are vulnerable to the same exploits as Google and Android.

f) none of the above


Answer: My iPad has been de-Googled as much as possible, F is always my favorite option.


iPad mini 5, iPadOS 16

Posted on Nov 14, 2022 4:03 PM

Reply
Question marked as Top-ranking reply
User profile for user: MrHoffman
MrHoffman
User level: Level 10
148,581 points

Posted on Nov 14, 2022 7:03 PM

Y’all seem somewhat unfamiliar with the details of these particular vulnerabilities, and also seemingly unfamiliar with one of the major teams that works on improving security.


Hopefully, the following can help y’all better understand some of this.


Maddy Stone, Ned Williamson and Nathan Wachholz all of Google Project Zero have identified two flaws in a common open source XML processing library libxml2, flaws which have been labeled CVE-2022-40303 and CVE-2022-40304, and Apple and many other vendors using that libxml2 library have then shipped updates.


Apple has not indicated whether these were reportedly being actively exploited (as they sometimes do), and has not detailed the particular risks. Given XML is used all over the place in many platforms including within security-critical code, exploitable flaws here would be bad.


More generally, Project Zero has identified a number of flaws in a number of packages and platforms.


If you’d like to read more about some of the previous work of Project Zero and particularly with Apple product security, here is a fascinating writeup on the JBIG2 vulnerability and a weird machine:

https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html


For assistance with Android and any use of libxml2 on that platform, and whether any patches might be necessary, best check directly with Google.

View in context

Similar questions

2 replies
Question marked as Top-ranking reply
User profile for user: MrHoffman
MrHoffman
User level: Level 10
148,581 points

Nov 14, 2022 7:03 PM in response to arne145

Y’all seem somewhat unfamiliar with the details of these particular vulnerabilities, and also seemingly unfamiliar with one of the major teams that works on improving security.


Hopefully, the following can help y’all better understand some of this.


Maddy Stone, Ned Williamson and Nathan Wachholz all of Google Project Zero have identified two flaws in a common open source XML processing library libxml2, flaws which have been labeled CVE-2022-40303 and CVE-2022-40304, and Apple and many other vendors using that libxml2 library have then shipped updates.


Apple has not indicated whether these were reportedly being actively exploited (as they sometimes do), and has not detailed the particular risks. Given XML is used all over the place in many platforms including within security-critical code, exploitable flaws here would be bad.


More generally, Project Zero has identified a number of flaws in a number of packages and platforms.


If you’d like to read more about some of the previous work of Project Zero and particularly with Apple product security, here is a fascinating writeup on the JBIG2 vulnerability and a weird machine:

https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html


For assistance with Android and any use of libxml2 on that platform, and whether any patches might be necessary, best check directly with Google.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Re: iOS 16.1.1 Why/how does Android fix apply to iOS on Apple devices?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up