Apple releases emergency patch fixing zero-days across iOS and macOS

Image of iPhone 13 on a white background — (Image credit: IT Pro)

Apple has released a set of emergency security updates for iPhone, iPad, and Mac following the discovery of two new zero-day vulnerabilities that were actively being exploited.

An anonymous researcher made Apple aware of the security issues, which are tracked as CVE-2022-22674 and CVE-2022-22675 respectively.

What's behind the explosion in zero-day exploits? Apple fixes array of iOS, macOS zero-days and code execution security flaws Apple users told to update their devices to fix critical WebKit flaw

The first issue (CVE-2022-22674) only affects Macs, and more specifically the Intel Graphics Driver. Apple said the vulnerability involved an out-of-bounds read issue that could lead to the disclosure of kernel memory.

Apple believes the issue may have been exploited by hackers in the past and has fixed it by improving input validation, it said in an advisory.

Out-of-bounds read flaws typically allow attackers to read sensitive information from other memory locations, or cause a crash on the device.

The second vulnerability (CVE-2022-22675) affects iPhones, iPads, and Macs. A flaw in AppleAVD, an audio/video decoding framework used by Apple devices, allowed for arbitrary code to be executed with kernel privileges. The vulnerability, also believed to have been exploited in the past, was caused by an out-of-bounds write issue that Apple fixed by improving bounds checking.

Similar to out-of-bounds read issues, out-of-bounds write flaws occur when software modifies an index or performs pointer arithmetic that references a memory location outside of the buffer’s boundaries. This can lead to data corruption, a device crash, or, in this case, code execution.

Apple has released emergency patches for all affected devices on iOS (15.4.1), iPadOS (15.4.1), and macOS (12.3.1). These include iPhone 6 models and newer, all iPad Pro models, iPad Air 2 and newer, iPad 5th generation and newer, iPad mini4 and newer, and iPod Touch 7th generation.

Importantly, the security patch for Macs seems to only be available on macOS Monterey, which means devices will need to be updated to the latest version of the operating system.

Security fixes for Apple TV (tvOS 15.4.1) and Apple Watch (watchOS 8.5.1) were also released in new updates, but Apple has not yet supplied any information for these or assigned CVE tracking codes.

A year full of zero-days

The latest round of emergency patches from Apple addresses the fourth and fifth zero-day vulnerabilities affecting devices in the company’s device ecosystem this year.

An array of security issues, including two zero-days, were patched in January that all involved code execution flaws, some with kernel privileges too, similar to CVE-2022-22675.

Around two weeks later, Apple was forced to issue another emergency patch for a critical WebKit flaw. WebKit is the engine that powers the Safari browser and the code execution flaw also had evidence of previous active exploitation.

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.