IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Apple fixes array of iOS, macOS zero-days and code execution security flaws

The first wave of security updates for Apple products in 2022 follows a year in which a wide variety of security flaws plagued its portfolio of devices

Apple has patched an array of security issues affecting iOS, iPadOS, and macOS devices, including two zero-day vulnerabilities.

Among the other myriad fixes for iOS and iPadOS 15.3, and macOS Monterrey 12.2 released on Wednesday were code execution flaws and some that allowed arbitrary code to run on affected devices with kernel privileges.

The first of the two critical flaws, tracked as CVE-2022-22587, involves an issue with the IOMobileFrameBuffer, a kernel extension responsible for managing a device's framebuffer - a portion of RAM that drives the video display. It's believed to have affected the iPhone 6s and later, all iPad Pro models, iPad Air 2 and later, and other devices in the ecosystem too.

Apple said a malicious application could exploit a flaw in this extension to execute arbitrary code with kernel privileges. Apple also said it previously knew about the security issue and that it believes it may have already been actively exploited in the wild. It was a memory corruption issue Apple fixed with improved input validation.

The bug was discovered by Meysam Firouzi of MBition - Mercedes-Benz Innovation Lab, and independent researcher Siddharth Aeri. A third, anonymous researchers was also thought to be involved.

Aeri published a proof-of-concept (PoC) for the security issue on 31 December 2021 and noted on their Twitter page that the bug was demonstrated by Pangu Team at Tianfucup 2021, a hacking competition similar to Zero Day Initiative's Pwn2Own.

The second zero-day flaw was found in Apple's WebKit browser engine and affects Safari 15 on macOS, and all browsers on iOS and iPadOS 15, as IT Pro previously reported.

Martin Bajanik of FingerprintJS first discovered the bug on 28 November 2021 and made it publicly available on 14 January, before Apple assigned it CVE-2022-22594 and patched it in Wednesday's slew of updates.

Exploiting the bug would see websites able to track sensitive user information and stemmed from a cross-origin issue in the IndexDB API. Apple fixed it using the same method as the first zero-day, by improving the input validation.

When he made the public disclosure earlier this month, Bajanik labelled the flaw a privacy violation. "It lets arbitrary websites learn what websites the user visits in different tabs or windows," said Bajanik who authored FingerprintJS' analysis of the bug. "This is possible because database names are typically unique and website-specific."

A total of five arbitrary code execution issues were found to affect iOS 15.3 and iPadOS 15.3, and seven affected macOS Monterrey 12.2. Four of the vulnerabilities in macOS also affected iPhones and iPads, meaning there was a single vulnerability exclusive to iOS 15.3 and iPadOS 15.3, three exclusive to macOS, and four shared across the operating systems of Apple's popular iPhones, iPads, and Mac computers.

Apple's zero-day-ridden 2021

The latest wave of patches marks Apple's first release of fixes this year and the company was forced to patch a score of zero-day and other critical vulnerabilities throughout 2021, including the infamous ForcedEntry exploit used to enable NSO Group's Pegasus spyware.

Related Resource

Establishing a strong foundation for DataOps

How to gain a competitive advantage with your available data

Whitepaper cover with titles, text and blue graphicsFree Download

Arbitrary code execution zero-days in WebKit were also found in May 2021 affecting Safari, all third-party iOS browsers, Apple Mail, and the App Store too. An additional emergency patch was also released a month later to fix more WebKit flaws in iOS 12 which could lead to remote code execution attacks.

May 2021 was a particularly troubled period for the company, the products from which were once said to not even need antivirus protection. Another significant number of vulnerabilities were fixed at the end of May across iOS, macOS, tvOS, watchOS and Safari, including a macOS Big Sur zero-day vulnerability under active attack at the time.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Apple "completely redesigns" IT certifications, introduces two new exams
Careers & training

Apple "completely redesigns" IT certifications, introduces two new exams

19 May 2022
Apple executive rejoins Google over remote work policy
flexible working

Apple executive rejoins Google over remote work policy

18 May 2022
The Total Economic Impact™ of Apple Mac in Enterprise: M1 update
Whitepaper

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update

12 May 2022
Three lessons the iPod can teach us about disruption
Technology

Three lessons the iPod can teach us about disruption

11 May 2022

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022