Apple fixed two zero-day vulnerabilities in iPhones, iPads, and Macs on Thursday with security updates. Security issues that have not yet been patched by the firm are known as zero-day vulnerabilities. It’s possible that some of these vulnerabilities have already been exploited.
First, a vulnerability in the Intel Graphics Driver has been identified as CVE-2022-22674, which would allow malicious apps to access kernel memory.
“An out-of-bounds read issue may lead to the disclosure of kernel memory and was addressed with improved input validation. Apple is aware of a report that this issue may have been actively exploited.” reads the advisory published by the IT giant.
CVE-2022-22674 in the Intel Graphics Driver allows apps to access kernel memory and CVE-2022-22675 in the AppleAVD media decoder lets apps execute arbitrary code with kernel privileges, both of which may be exploited through the two out-of-bounds write issues.
“An application may be able to execute arbitrary code with kernel privileges.” reads the advisory. “An out-of-bounds write issue was addressed with improved bounds checking. Apple is aware of a report that this issue may have been actively exploited.”
In iOS 15.4.1, iPadOS 15.4.1, and macOS Monterey 12.3.1 improvements to input validation and bounds checking were made in response to reports from anonymous researchers.
The affected devices are listed as follows:
- macOS Monterey
- iPhone 6s to the latest
- iPod touches 5th generation and later, iPad mini 4 and later, and iPad Pro (all models) (7th generation)
Holding back this information is most likely intended to give the security patches time to reach as many iOS devices as possible before cybercriminals discover the zero-day vulnerabilities that have been fixed as a result of the delay.
Despite the fact that these zero-day vulnerabilities were most likely only exploited in targeted attacks, it is strongly recommended that you install today’s security patches as soon as possible in order to prevent future attack attempts.
Anonymous researchers disclosed both zero-day vulnerabilities, and Apple released iOS 15.4.1, iPadOS 15.4.1, and Mac OS Monterey 12.3.1, that patched both the issues.
Apple did not provide any information regarding how the vulnerabilities were exploited in the wild. It is suggested that users apply the security updates as soon as possible when they are released.
Since January, Apple has patched three more vulnerabilities that were aggressively exploited. It was announced in February that Apple has patched a zero-day vulnerability in the WebKit, which was tracked as CVE-2022-22620 and affected iOS, iPadOS, macOS, and Safari. The weakness was a use-after-free problem that could be triggered by processing maliciously generated web content, which may result in arbitrary code execution and disclosure of sensitive information.