Apple patches 'superpower' zero-days affecting iPhones, iPads, and Macs
The RCE and kernel-level bugs may have been actively exploited and could give high-level privileges to attackers
Apple has fixed two zero-day vulnerabilities affecting iOS, iPadOS, and macOS Monterrey that may have been actively exploited.
The first exploit is a remote code execution (RCE) flaw affecting Apple’s proprietary browser engine WebKit, tracked as CVE-20220-32893.
An attacker could maliciously alter a web page and if visited by a WebKit-powered browser, then unauthorised code could run on unpatched devices.
WebKit is Apple’s browser engine and is naturally used to power the native Safari browser on currently supported iPhones and iPads. It’s also the engine that Apple compels app developers to use when building for its mobile devices.
Other apps that may not be browsers primarily, but have browsing features within them, also use WebKit to display web content which means the vulnerability may have a wide-reaching attack surface.
Devices affected by CVE-20220-32893 include iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, iPod touch (7th generation), and macOS Monterrey.
This vulnerability is the third critical WebKit bug Apple has been made to fix this year after the first two patches were released within weeks of each other at the start of the year.
The second zero-day exploit patched by Apple on Wednesday is a kernel-level code execution bug that can be abused once an attacker gains an initial foothold on an affected device.
Tracked as CVE-2022-32894, one way an attacker could achieve that initial foothold is by exploiting the aforementioned WebKit flaw, according to researchers at Sophos.
This means an attacker “could jump from controlling just a single app on your device to taking over the operating system kernel itself, thus acquiring the sort of ‘administrative superpowers’ normally reserved for Apple itself,” said Paul Ducklin, principal research scientist at Sophos.
Such privileges could afford an attacker the ability to carry out activities such as spying on apps, accessing nearly all data on the device, retrieving locations, using cameras, taking screenshots, activating the microphone, and more, he said.
Like the WebKit flaw, the code required to exploit this vulnerability would have to be embedded within a maliciously crafted web page and executed after the WebKit vulnerability had already been exploited.
Cyber resiliency and end-user performance
Reduce risk and deliver greater business success with cyber-resilience capabilitiesFree Download
This zero-day also affects all the aforementioned iPhone and iPad devices, in addition to Macs running macOS Monterrey.
Both issues were caused by an out-of-bounds write issue and were addressed by improving the bounds checking of the vulnerable components.
The two vulnerabilities patched by Apple on Wednesday represent the sixth and seventh zero-day exploits that Apple has been forced to fix this year.
Three ways manual coding is killing your business productivity
...and how you can fix itFree Download
Goodbye broadcasts, hello conversations
Drive conversations across the funnel with the WhatsApp Business PlatformFree Download
Winning with multi-cloud
How to drive a competitive advantage and overcome data integration challengesFree Download
Talking to a business should feel like messaging a friend
Managing customer conversations at scale with the WhatsApp Business PlatformFree Download