Apple releases emergency patch fixing zero-days across iOS and macOS
Flaws have been fixed on iPhones, iPads, and Macs, as well as undisclosed vulnerabilities on Apple TV and Apple Watch devices
Apple has released a set of emergency security updates for iPhone, iPad, and Mac following the discovery of two new zero-day vulnerabilities that were actively being exploited.
An anonymous researcher made Apple aware of the security issues, which are tracked as CVE-2022-22674 and CVE-2022-22675 respectively.
The first issue (CVE-2022-22674) only affects Macs, and more specifically the Intel Graphics Driver. Apple said the vulnerability involved an out-of-bounds read issue that could lead to the disclosure of kernel memory.
Apple believes the issue may have been exploited by hackers in the past and has fixed it by improving input validation, it said in an advisory.
Out-of-bounds read flaws typically allow attackers to read sensitive information from other memory locations, or cause a crash on the device.
The second vulnerability (CVE-2022-22675) affects iPhones, iPads, and Macs. A flaw in AppleAVD, an audio/video decoding framework used by Apple devices, allowed for arbitrary code to be executed with kernel privileges. The vulnerability, also believed to have been exploited in the past, was caused by an out-of-bounds write issue that Apple fixed by improving bounds checking.
Similar to out-of-bounds read issues, out-of-bounds write flaws occur when software modifies an index or performs pointer arithmetic that references a memory location outside of the buffer’s boundaries. This can lead to data corruption, a device crash, or, in this case, code execution.
Apple has released emergency patches for all affected devices on iOS (15.4.1), iPadOS (15.4.1), and macOS (12.3.1). These include iPhone 6 models and newer, all iPad Pro models, iPad Air 2 and newer, iPad 5th generation and newer, iPad mini4 and newer, and iPod Touch 7th generation.
Importantly, the security patch for Macs seems to only be available on macOS Monterey, which means devices will need to be updated to the latest version of the operating system.
Security fixes for Apple TV (tvOS 15.4.1) and Apple Watch (watchOS 8.5.1) were also released in new updates, but Apple has not yet supplied any information for these or assigned CVE tracking codes.
A year full of zero-days
The latest round of emergency patches from Apple addresses the fourth and fifth zero-day vulnerabilities affecting devices in the company’s device ecosystem this year.
An array of security issues, including two zero-days, were patched in January that all involved code execution flaws, some with kernel privileges too, similar to CVE-2022-22675.
Around two weeks later, Apple was forced to issue another emergency patch for a critical WebKit flaw. WebKit is the engine that powers the Safari browser and the code execution flaw also had evidence of previous active exploitation.
Accelerating AI modernisation with data infrastructure
Generate business value from your AI initiativesFree Download
Recommendations for managing AI risks
Integrate your external AI tool findings into your broader security programsFree Download
Modernise your legacy databases in the cloud
An introduction to cloud databasesFree Download
Powering through to innovation
IT agility drive digital transformationFree Download