Apple rushes out patches for two 0-days threatening iOS and macOS users

On Thursday, Apple released fixes for two critical zero-day vulnerabilities in iPhones, iPads and Macs that give hackers dangerous access to the internal features of the operating systems on which the devices run.

Apple credited an anonymous researcher for discovering both vulnerabilities. The first vulnerability, CVE-2022-22675, is found in macOS for Monterey and in iOS or iPadOS for most iPhone and iPad models. The bug, which stems from an out-of-bounds typing issue, gives hackers the ability to execute malware run with privileges from the kernel, the most security-sensitive region of the operating system. CVE-2022-22674, meanwhile, is also the result of an out-of-bounds reading problem that could lead to the disclosure of nuclear memory.

Apple revealed barefoot details for the flaws here and here. “Apple is aware of a report that this issue may have been actively exploited,” the company wrote of both vulnerabilities.

Raining down Apple zero-days

CVE-2022-22674 and CVE-2022-22675 are the fourth and fifth zero-days that Apple has patches this year. In January, the company rushed out patches for iOS, iPadOS, macOS Monterey, watchOS, tvOS and HomePod Software to fix a zero-day memory corruption that could give developers the ability to execute code with core privileges. The bug, tracked as CVE-2022-22587, was found in IOMobileFrameBuffer. A separate vulnerability, CVE-2022-22594, allowed websites to track sensitive user information. The exploitation code for that vulnerability was released publicly before the patch was issued.

Apple in February sent out a fix for one use after free bug in the browser engine Webkit which gave attackers the ability to run malware on iPhones, iPads and iPod Touches. Apple said that reports they received indicated that the vulnerability – CVE-2022-22620 – may also have been actively exploited.

A spreadsheet Google security researchers insist on tracking zero days shows that Apple fixed a total of 12 such vulnerabilities in 2021. Among these was a bug in iMessage that Pegasus’ spyware targeted using a zero-click exploit, which means that devices were infected only by receiving a malicious message , without the user having to do anything. Two zero days that Apple patched in May allowed attackers to infect fully updated devices.

Leave a Comment