2 zero-days used to compromise iPhones and Macs are fixed by Apple security patches.
In order to address two zero-day vulnerabilities that were previously used by hackers to break into iPhones, iPads, or Macs, Apple has today published emergency security patches.
Zero-day vulnerabilities are security weaknesses that are discovered by attackers or researchers before they are discovered by or can be fixed by the software manufacturer. Zero-day vulnerabilities frequently have available proof-of-concept exploits or are actively used in attacks.
In order to patch two zero-day vulnerabilities that have reportedly been frequently exploited, Apple has now released macOS Monterey 12.5.1 and iOS 15.6.1/iPadOS 15.6.1.
The first vulnerability, identified as CVE-2022-32894, affects all three operating systems. This flaw is an out-of-bounds write vulnerability in the kernel of the operating system.
In macOS, iPadOS, and iOS, the kernel—a software that functions as the foundational element of an operating system—has the greatest level of access.
This flaw allows a program, such as malicious software, to run commands with kernel privileges. As the highest privilege level, a process would have full authority over the device at this level and could execute any command on it.
The second zero-day flaw, CVE-2022-32893, is an out-of-bounds write flaw in WebKit, the web browser engine that powers Safari and other web-accessible applications.
Apple claims that this weakness, which affects the web engine, could be remotely exploited by accessing a website that has been specially coded to facilitate arbitrary code execution by an attacker.
The flaws were discovered by unidentified researchers, and Apple patched them in iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1 by enhancing bounds checking for both flaws.
Devices impacted by both vulnerabilities include:
iPhone 6s and after, iPad Pro (all models), iPad Air 2, iPad 5th generation, iPad mini 4 and later, and iPod touch are Macs that run macOS Monterey (7th generation).
Apple revealed that there was a live exploit in the wild, but it provided no further details about these attacks.
Although it’s likely that these zero-day vulnerabilities were only employed in focused attacks, it is nevertheless strongly urged to immediately install the security updates from today.
Apple has patched seven zero-day bugs this year.
Apple fixed two further zero-day vulnerabilities in March that were present in the AppleAVD (CVE-2022-22675) and Intel Graphics Driver (CVE-2022-22674) and that may have been used to run programs with Kernel privileges.
Apple fixed two more actively exploited zero-days in January (CVE-2022-22587) that allowed attackers to execute arbitrary code with kernel privileges and track users’ online activities and identity in real-time (CVE-2022-22594).
Apple published security fixes in February to address a new zero-day vulnerability that was used to compromise Macs, iPhones, and iPads, causing OS failures and remote code execution on infected devices after processing maliciously created web content.