IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Apple releases emergency patch fixing zero-days across iOS and macOS

Flaws have been fixed on iPhones, iPads, and Macs, as well as undisclosed vulnerabilities on Apple TV and Apple Watch devices

Apple has released a set of emergency security updates for iPhone, iPad, and Mac following the discovery of two new zero-day vulnerabilities that were actively being exploited.

An anonymous researcher made Apple aware of the security issues, which are tracked as CVE-2022-22674 and CVE-2022-22675 respectively.

The first issue (CVE-2022-22674) only affects Macs, and more specifically the Intel Graphics Driver. Apple said the vulnerability involved an out-of-bounds read issue that could lead to the disclosure of kernel memory.

Apple believes the issue may have been exploited by hackers in the past and has fixed it by improving input validation, it said in an advisory.

Out-of-bounds read flaws typically allow attackers to read sensitive information from other memory locations, or cause a crash on the device.

The second vulnerability (CVE-2022-22675) affects iPhones, iPads, and Macs. A flaw in AppleAVD, an audio/video decoding framework used by Apple devices, allowed for arbitrary code to be executed with kernel privileges. The vulnerability, also believed to have been exploited in the past, was caused by an out-of-bounds write issue that Apple fixed by improving bounds checking.

Similar to out-of-bounds read issues, out-of-bounds write flaws occur when software modifies an index or performs pointer arithmetic that references a memory location outside of the buffer’s boundaries. This can lead to data corruption, a device crash, or, in this case, code execution.

Apple has released emergency patches for all affected devices on iOS (15.4.1), iPadOS (15.4.1), and macOS (12.3.1). These include iPhone 6 models and newer, all iPad Pro models, iPad Air 2 and newer, iPad 5th generation and newer, iPad mini4 and newer, and iPod Touch 7th generation.

Importantly, the security patch for Macs seems to only be available on macOS Monterey, which means devices will need to be updated to the latest version of the operating system.

Security fixes for Apple TV (tvOS 15.4.1) and Apple Watch (watchOS 8.5.1) were also released in new updates, but Apple has not yet supplied any information for these or assigned CVE tracking codes.

A year full of zero-days

The latest round of emergency patches from Apple addresses the fourth and fifth zero-day vulnerabilities affecting devices in the company’s device ecosystem this year.

An array of security issues, including two zero-days, were patched in January that all involved code execution flaws, some with kernel privileges too, similar to CVE-2022-22675.

Around two weeks later, Apple was forced to issue another emergency patch for a critical WebKit flaw. WebKit is the engine that powers the Safari browser and the code execution flaw also had evidence of previous active exploitation.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Best business smartphones 2022: The top handsets from Apple, Samsung, Google and more
Mobile

Best business smartphones 2022: The top handsets from Apple, Samsung, Google and more

23 Jun 2022
Apple faces a catch-22 decision with iPhones and USB-C
Policy & legislation

Apple faces a catch-22 decision with iPhones and USB-C

8 Jun 2022
Apple overhauls SwiftUI navigation and brings a score of new features to developers at WWDC 2022
software development

Apple overhauls SwiftUI navigation and brings a score of new features to developers at WWDC 2022

7 Jun 2022
The EU’s Apple App Store crackdown ‘will fuel cyber attacks’
cyber security

The EU’s Apple App Store crackdown ‘will fuel cyber attacks’

1 Jun 2022

Most Popular

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Open source giant Red Hat joins HPE GreenLake ecosystem
automation

Open source giant Red Hat joins HPE GreenLake ecosystem

28 Jun 2022
Carnival hit with $5 million fine over cyber security violations
cyber security

Carnival hit with $5 million fine over cyber security violations

27 Jun 2022