Two critical zero-day vulnerabilities have been patched by Apple that may have been actively exploited in the wild. Exploitation of the flaws allows threat actors to remotely execute code on vulnerable iPhone, iPad, and Mac devices.
The vulnerabilities affect the 6S iPhone and later models, 6th generation iPads and later, iPad Air 2 and later, iPad mini 4 and later, all iPad Pro models, the 7th generation iPod touch, Mac computer with the Monterey OS, and the Apple Safari browser on Big Sur and Cataline OSes.
Both of the vulnerabilities are out-of-bound white bugs, one is in the WebKit browser engine (CVE-2022-32893) that powers the Safari web browser and all iOS web browsers and can be exploited if the user is tricked into visiting a specially crafted website. The second vulnerability (CVE-2022-32893) is in the Kernel of the affected operating systems and can be exploited to execute arbitrary code with Kernel privileges – the highest level of privileges possible on macOS, iPadOS, and iOS.
Out-of-bounds write vulnerabilities allow input to be supplied to a program that causes it to write data outside a memory buffer. Exploitation of the vulnerabilities can result in the program crashing, data being corrupted, or in some cases – like with these two vulnerabilities –remote code execution, which can allow threat actors to take full control of vulnerable devices.
Apple said the vulnerabilities were reported by an anonymous researcher and no further information has been released on which threat groups are believed to be exploiting the vulnerabilities. Apple has only confirmed that the vulnerabilities may be actively exploited in the wild.
All users of vulnerable devices should update the software as soon as possible – I.e. today. Any individual that is likely to be a target for nation-state threat actors should update the operating system to the latest version immediately.
The bugs have been fixed in the following OS versions
- iOS 15.6.1
- iPadOS 15.6.
- macOS 12.5.1
- Safari 15.6.1 for macOS Big Sur and Catalina