✔️ 2022-08-18 00:35:26 – Paris/France.
Apple today released emergency security updates to fix two zero-day vulnerabilities previously exploited by attackers to hack iPhones, iPads or Macs.
Zero-day vulnerabilities are security flaws known to attackers or researchers before the software vendor was aware of them or was able to fix them. In many cases, zero-days have public proof-of-concept exploits or are actively exploited in attacks.
Today Apple released macOS Monterey 12.5.1 and iOS 15.6.1/iPadOS 15.6.1 to address two zero-day vulnerabilities that have been allegedly actively exploited.
Both vulnerabilities are the same for all three operating systems, with the first identified as CVE-2022-32894. This vulnerability is an out-of-bounds write vulnerability in the operating system kernel.
Kernel is a program that functions as the main component of an operating system and has the highest privileges in macOS, iPadOS, and iOS.
An application, such as malware, can use this vulnerability to execute code with kernel privileges. As this is the highest privilege level, a process would be able to execute any command on the device, effectively taking full control over it.
The second zero-day vulnerability is CVE-2022-32893 and is an out-of-bounds write vulnerability in WebKit, the web browser engine used by Safari and other web-capable applications.
Apple says the flaw would allow an attacker to execute arbitrary code and, because it’s in the web engine, could likely be exploited remotely by visiting a maliciously crafted website.
The bugs were reported by anonymous researchers and fixed by Apple in iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1 with Enhanced Limits checking both bugs.
The list of devices affected by the two vulnerabilities is as follows:
- Mac running macOS Monterey
- iPhone 6s and later
- iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
Apple disclosed active exploitation in the wild, but did not release any additional information regarding these attacks.
It’s likely that these zero-days were only used in targeted attacks, but it’s still strongly advised to install today’s security updates as soon as possible.
Seven zero-days patched by Apple this year
In March, Apple fixed two additional zero-day bugs that were used in Intel Graphics Driver (CVE-2022-22674) and AppleAVD (CVE-2022-22675) which could also be used to run code with kernel privileges .
In January, Apple patched two more actively exploited zero-days that allowed attackers to execute arbitrary code with kernel privileges (CVE-2022-22587) and track web browsing activity and user identities. in real time (CVE-2022-22594).
In February, Apple released security updates to fix a new zero-day bug exploited to hack iPhones, iPads and Macs, leading to operating system crashes and remote code execution on compromised devices. after processing maliciously crafted web content.
SOURCE : Digikar
Do not hesitate to share our article on social networks to give us a solid boost. 🤓