In January, Apple patched two more actively exploited zero-days that enabled attackers to achieve arbitrary code execution with kernel privileges (CVE-2022-22587) and track web browsing activity and the users' identities in real-time (CVE-2022-22594). In March, Apple patched two more zero-day bugs that were used in the Intel Graphics Driver (CVE-2022-22674) and AppleAVD (CVE-2022-22675) that could also be used to execute code with Kernel privileges. Seven zero-days patched by Apple this year Likely, these zero-days were only used in targeted attacks, but it's still strongly advised to install today's security updates as soon as possible. iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).Īpple disclosed active exploitation in the wild, however, it did not release any additional info regarding these attacks.The list of devices affected by both vulnerabilities are: The bugs were reported by anonymous researchers and fixed by Apple in iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1 with improved bounds checking for both bugs. The second zero-day vulnerability is CVE-2022-32893 and is an out-of-bounds write vulnerability in WebKit, the web browser engine used by Safari and other apps that can access the web.Īpple says this flaw would allow an attacker to perform arbitrary code execution and, as it's in the web engine, could likely be exploited remotely by visiting a maliciously crafted website. As this is the highest privilege level, a process would be able to perform any command on the device, effectively taking complete control over it. The kernel is a program that operates as the core component of an operating system and has the highest privileges in macOS, iPadOS, and iOS.Īn application, such as malware, can use this vulnerability to execute code with Kernel privileges. This vulnerability is an out-of-bounds write vulnerability in the operating system's Kernel.
The two vulnerabilities are the same for all three operating systems, with the first tracked as CVE-2022-32894. Today, Apple has released macOS Monterey 12.5.1 and iOS 15.6.1/iPadOS 15.6.1 to resolve two zero-day vulnerabilities that are reported to have been actively exploited. In many cases, zero-days have public proof-of-concept exploits or are actively exploited in attacks.
Zero-day vulnerabilities are security flaws known by attackers or researchers before the software vendor has become aware or been able to patch them. Apple has released emergency security updates today to fix two zero-day vulnerabilities previously exploited by attackers to hack iPhones, iPads, or Macs.
0 kommentar(er)
