Skip to ContentSkip to Footer
IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more
News

Apple fixes array of iOS, macOS zero-days and code execution security flaws

The first wave of security updates for Apple products in 2022 follows a year in which a wide variety of security flaws plagued its portfolio of devices

by: Connor Jones
27 Jan 2022
Apple logo on the side of a building

Shutterstock

Apple has patched an array of security issues affecting iOS, iPadOS, and macOS devices, including two zero-day vulnerabilities.

Among the other myriad fixes for iOS and iPadOS 15.3, and macOS Monterrey 12.2 released on Wednesday were code execution flaws and some that allowed arbitrary code to run on affected devices with kernel privileges.

The first of the two critical flaws, tracked as CVE-2022-22587, involves an issue with the IOMobileFrameBuffer, a kernel extension responsible for managing a device's framebuffer - a portion of RAM that drives the video display. It's believed to have affected the iPhone 6s and later, all iPad Pro models, iPad Air 2 and later, and other devices in the ecosystem too.

Apple said a malicious application could exploit a flaw in this extension to execute arbitrary code with kernel privileges. Apple also said it previously knew about the security issue and that it believes it may have already been actively exploited in the wild. It was a memory corruption issue Apple fixed with improved input validation.

The bug was discovered by Meysam Firouzi of MBition - Mercedes-Benz Innovation Lab, and independent researcher Siddharth Aeri. A third, anonymous researchers was also thought to be involved.

Aeri published a proof-of-concept (PoC) for the security issue on 31 December 2021 and noted on their Twitter page that the bug was demonstrated by Pangu Team at Tianfucup 2021, a hacking competition similar to Zero Day Initiative's Pwn2Own.

The second zero-day flaw was found in Apple's WebKit browser engine and affects Safari 15 on macOS, and all browsers on iOS and iPadOS 15, as IT Pro previously reported.

Martin Bajanik of FingerprintJS first discovered the bug on 28 November 2021 and made it publicly available on 14 January, before Apple assigned it CVE-2022-22594 and patched it in Wednesday's slew of updates.

Exploiting the bug would see websites able to track sensitive user information and stemmed from a cross-origin issue in the IndexDB API. Apple fixed it using the same method as the first zero-day, by improving the input validation.

When he made the public disclosure earlier this month, Bajanik labelled the flaw a privacy violation. "It lets arbitrary websites learn what websites the user visits in different tabs or windows," said Bajanik who authored FingerprintJS' analysis of the bug. "This is possible because database names are typically unique and website-specific."

A total of five arbitrary code execution issues were found to affect iOS 15.3 and iPadOS 15.3, and seven affected macOS Monterrey 12.2. Four of the vulnerabilities in macOS also affected iPhones and iPads, meaning there was a single vulnerability exclusive to iOS 15.3 and iPadOS 15.3, three exclusive to macOS, and four shared across the operating systems of Apple's popular iPhones, iPads, and Mac computers.

Apple's zero-day-ridden 2021

The latest wave of patches marks Apple's first release of fixes this year and the company was forced to patch a score of zero-day and other critical vulnerabilities throughout 2021, including the infamous ForcedEntry exploit used to enable NSO Group's Pegasus spyware.

Related Resource

Establishing a strong foundation for DataOps

How to gain a competitive advantage with your available data

Whitepaper cover with titles, text and blue graphicsFree Download

Arbitrary code execution zero-days in WebKit were also found in May 2021 affecting Safari, all third-party iOS browsers, Apple Mail, and the App Store too. An additional emergency patch was also released a month later to fix more WebKit flaws in iOS 12 which could lead to remote code execution attacks.

May 2021 was a particularly troubled period for the company, the products from which were once said to not even need antivirus protection. Another significant number of vulnerabilities were fixed at the end of May across iOS, macOS, tvOS, watchOS and Safari, including a macOS Big Sur zero-day vulnerability under active attack at the time.

Featured Resources

Defending against malware attacks starts here

The ultimate guide to building your malware defence strategy

Free Download

Datto SMB cyber security for MSPs report

A world of opportunity for MSPs

Free Download

The essential guide to preventing ransomware attacks

Vital tips and guidelines to protect your business using ZTNA and SSE

Free Download

Medium businesses: Fuelling the UK’s economic engine

A Connected Thinking report

Free Download

Recommended

Linux edges closer to full Apple silicon support with version 6.2
operating systems

Linux edges closer to full Apple silicon support with version 6.2

21 Feb 2023
Microsoft officially brings Windows 11 to Macs via Parallels
operating systems

Microsoft officially brings Windows 11 to Macs via Parallels

17 Feb 2023
Apple issues patch for macOS security bypass vulnerability
Security

Apple issues patch for macOS security bypass vulnerability

20 Dec 2022
Apple issues fix for ‘actively exploited’ WebKit zero-day vulnerability
Security

Apple issues fix for ‘actively exploited’ WebKit zero-day vulnerability

14 Dec 2022

Most Popular

Tech pioneers call for six-month pause of "out-of-control" AI development
artificial intelligence (AI)

Tech pioneers call for six-month pause of "out-of-control" AI development

29 Mar 2023
Getting the best value from your remote support software
Advertisement Feature

Getting the best value from your remote support software

13 Mar 2023
Microsoft set to block emails from unsupported Exchange servers
Security

Microsoft set to block emails from unsupported Exchange servers

28 Mar 2023
Skip to HeaderSkip to Content