Apple has released a batch of security updates to fix known vulnerabilities in its iOS operating system, including a fix for zero-day iOS vulnerability that is being actively exploited in the wild in attacks on iPhones and iPads.
The 0day vulnerability – tracked as CVE-2022-42827 – is an out-of-bounds write vulnerability in the kernel that affects iPhone 8 and later, all models of iPad Pro, iPad Air 3rd generation and later, iPad 5th generation and later, and iPad Mini 5th generation and later.
The vulnerability is due to iOS allowing data to be written outside of the memory buffer. These types of vulnerabilities often result in data corruption, or crashes, but can allow code execution. In this case, if the flaw is successfully exploited, an attacker can execute arbitrary code with kernel privileges.
Apple was alerted to the vulnerability by an anonymous researcher and has also received reports indicating the vulnerability has already been exploited in the wild, but Apple has not been able to tie the exploits to any specific cybercriminal group or nation-state threat actor. No information has been released on the nature of the attacks, although it is probable that exploitation has been highly targeted, most likely by a nation-state threat actor.
Apple has fixed the vulnerability in iOS 16.1 and iPadOS 16. The latest software versions also include fixes for two similar vulnerabilities in the kernel – CVE-2022-42808 and CVE-2022-32924 – that are not believed to have been exploited in the wild. In total, 19 vulnerabilities have been corrected in this batch of updates, including 3 ppp and 3 WebKit vulnerabilities.
All users are encouraged to update to the latest version of the OS as soon as possible. If you have yet to install the latest version, you can do so via: Settings > General > Software Update and choosing Download and Install