Apple today released emergency security updates to address two zero-day vulnerabilities previously used by attackers to jailbreak iPhones, iPads, or Mac computers.
Zero-day vulnerabilities are security flaws that are discovered by attackers or researchers before the software developer is aware or able to fix them. In many cases, public proof-of-concept exploits of zero days exist or are actively used in attacks.
Today, Apple released macOS Monterey 12.5.1 and iOS 15.6.1/iPadOS 15.6.1 to address two zero-day vulnerabilities reported to be actively exploited.
The two vulnerabilities are identical for all three operating systems, the first being tracked as CVE-2022-32894. This vulnerability is an out-of-bounds write vulnerability in the operating system kernel.
Kernel is a program that acts as the main component of the operating system and has the highest privileges in macOS, iPadOS and iOS.
A program such as malware could use this vulnerability to execute code with kernel privileges. Since this is the highest privilege level, a process can execute any command on the device, taking full control over it.
The second zero-day vulnerability is CVE-2022-32893, an out-of-bounds write vulnerability in WebKit, the web browser engine used by Safari and other web-accessible applications.
Apple says the flaw would allow an attacker to perform arbitrary code execution and, as with the web engine, could potentially be exploited remotely by visiting a malicious website.
The bugs were reported by anonymous researchers and fixed by Apple with improved bounds checking for both bugs in iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1.
List of devices affected by both vulnerabilities:
- Mac computers running macOS Monterey
- iPhone 6s and later
- iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
Apple has disclosed an active exploit in the wild, but has not released any additional information about these attacks.
It is likely that these zero days were only used in targeted attacks, but it is still recommended to install today’s security updates as soon as possible.
Seven zero days updated by Apple this year
Apple in March fixed two more zero day bugs Exploited in Intel Graphics Driver (CVE-2022-22674) and AppleAVD (CVE-2022-22675) and can also be used to execute code with kernel privileges.
in January, Apple has patched two more actively exploited zero days this allowed attackers to achieve arbitrary code execution with kernel privileges (CVE-2022-22587) and monitor web browser activity and users’ identities in real-time (CVE-2022-22594).
In February, Apple released security updates to fix the new zero-day bug It is used to jailbreak iPhones, iPads, and Macs, leading to OS crashes and remote code execution on compromised devices after processing malicious web content.