Apple today released emergency security updates to fix two zero-day vulnerabilities previously exploited by attackers to hack iPhones, iPads or Macs.
Zero-day vulnerabilities are security vulnerabilities that are known to attackers or researchers before the software vendor is aware of them or has been able to fix them. In many cases, zero-days have public proof-of-concept exploits or are actively exploited for attacks.
Today, Apple released macOS Monterey 12.5.1 and iOS 15.6.1/iPadOS 15.6.1 to close two zero-day vulnerabilities that have reportedly been actively exploited.
The two vulnerabilities are common to all three operating systems, with the first being tracked as CVE-2022-32894. This vulnerability is an out-of-bounds write vulnerability in the operating system kernel.
The kernel is a program that acts as the core component of an operating system and has the highest privileges in macOS, iPadOS, and iOS.
An application such as B. Malware can use this vulnerability to run code with kernel privileges. Because this is the highest level of permissions, a process would be able to execute any command on the device, effectively taking complete control of it.
The second zero-day vulnerability is CVE-2022-32893 and is an illegal write vulnerability in WebKit, the web browser engine used by Safari and other apps that can access the web.
Apple says this flaw would allow an attacker to execute arbitrary code, and as is the case in the web engine, it could likely be exploited remotely by visiting a maliciously crafted website.
The bugs were reported by anonymous researchers and have been fixed by Apple in iOS 15.6.1, iPadOS 15.6.1 and macOS Monterey 12.5.1 with improved bounds checking for both bugs.
The list of devices affected by both vulnerabilities is:
- Macs running macOS Monterey
- iPhone 6s and later
- iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
Apple has disclosed active exploitation in the wild, but has not released any additional information about these attacks.
It’s likely that these zero-days were only used for targeted attacks, but it’s still highly recommended to install today’s security updates as soon as possible.
Seven zero-days patched by Apple this year
In March Apple patched two more zero-day bugs used in the Intel graphics driver (CVE-2022-22674) and AppleAVD (CVE-2022-22675), which could also be used to run code with kernel privileges.
In January, Apple has patched two more actively exploited zero-days which allowed attackers to run arbitrary code with kernel privileges (CVE-2022-22587) and track users’ web browsing activity and identity in real-time (CVE-2022-22594).
Apple released security updates in February to fix a new zero-day bug exploited to hack iPhones, iPads and Macs, resulting in operating system crashes and remote code execution on compromised devices after processing maliciously crafted web content.