Apple releases emergency patch fixing zero-days across iOS and macOS
Flaws have been fixed on iPhones, iPads, and Macs, as well as undisclosed vulnerabilities on Apple TV and Apple Watch devices
Apple has released a set of emergency security updates for iPhone, iPad, and Mac following the discovery of two new zero-day vulnerabilities that were actively being exploited.
An anonymous researcher made Apple aware of the security issues, which are tracked as CVE-2022-22674 and CVE-2022-22675 respectively.
The first issue (CVE-2022-22674) only affects Macs, and more specifically the Intel Graphics Driver. Apple said the vulnerability involved an out-of-bounds read issue that could lead to the disclosure of kernel memory.
Apple believes the issue may have been exploited by hackers in the past and has fixed it by improving input validation, it said in an advisory.
Out-of-bounds read flaws typically allow attackers to read sensitive information from other memory locations, or cause a crash on the device.
The second vulnerability (CVE-2022-22675) affects iPhones, iPads, and Macs. A flaw in AppleAVD, an audio/video decoding framework used by Apple devices, allowed for arbitrary code to be executed with kernel privileges. The vulnerability, also believed to have been exploited in the past, was caused by an out-of-bounds write issue that Apple fixed by improving bounds checking.
Similar to out-of-bounds read issues, out-of-bounds write flaws occur when software modifies an index or performs pointer arithmetic that references a memory location outside of the buffer’s boundaries. This can lead to data corruption, a device crash, or, in this case, code execution.
Apple has released emergency patches for all affected devices on iOS (15.4.1), iPadOS (15.4.1), and macOS (12.3.1). These include iPhone 6 models and newer, all iPad Pro models, iPad Air 2 and newer, iPad 5th generation and newer, iPad mini4 and newer, and iPod Touch 7th generation.
Importantly, the security patch for Macs seems to only be available on macOS Monterey, which means devices will need to be updated to the latest version of the operating system.
Security fixes for Apple TV (tvOS 15.4.1) and Apple Watch (watchOS 8.5.1) were also released in new updates, but Apple has not yet supplied any information for these or assigned CVE tracking codes.
A year full of zero-days
The latest round of emergency patches from Apple addresses the fourth and fifth zero-day vulnerabilities affecting devices in the company’s device ecosystem this year.
An array of security issues, including two zero-days, were patched in January that all involved code execution flaws, some with kernel privileges too, similar to CVE-2022-22675.
Around two weeks later, Apple was forced to issue another emergency patch for a critical WebKit flaw. WebKit is the engine that powers the Safari browser and the code execution flaw also had evidence of previous active exploitation.
-
HP EliteBook X Flip G1i reviewReviews Looking past the lack of a multi-core roar in its Lunar Lake chip, there's very little to complain about in this mobile and security-centric hybrid machine
-
Why reselling AI isn’t where MSP margins are madeThe AI boom is driving record IT spending, but much of the licence revenue is flowing to hyperscalers. For channel partners, the real value lies in using AI internally to automate service desks, NOCs, and managed service delivery
-
Anthropic targets vulnerability detection gains with Claude Security public beta — here's what users can expectNews The Claude Mythos developer is aiming for a more limited approach to cyber tooling for public consumption
-
Researchers warn millions of RDP and VNC servers are wide open to exploitationNews Researchers at Forescout spotted millions of RDP and VNC servers exposed online
-
Brace yourselves for a vulnerability explosion, Forescout warnsNews AI advances are helping identify software flaws at record pace and scale, but that's not the good news some would think
-
Ubuntu vulnerability exposes enterprises to root escalation, complete system compromiseNews The high-severity Ubuntu vulnerability allows an unprivileged local attacker to escalate privileges through the interaction of two standard system components
-
Organizations hit by 90 zero-day vulnerabilities last yearNews Google Threat Intelligence researchers warn that edge devices and security appliances are prime entry points
-
Security agencies issue warning over critical Cisco Catalyst SD-WAN vulnerabilityNews Threat actors have been exploiting the vulnerability to achieve root access since 2023
-
Millions of developers could be impacted by flaws in Visual Studio Code extensions – here's what you need to know and how to protect yourselfNews The VS Code vulnerabilities highlight broader IDE security risks, said OX Security
-
CVEs are set to top 50,000 this year, marking a record high – here’s how CISOs and security teams can prepare for a looming onslaughtNews While the CVE figures might be daunting, they won't all be relevant to your organization
