IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Apple patches 'superpower' zero-days affecting iPhones, iPads, and Macs

The RCE and kernel-level bugs may have been actively exploited and could give high-level privileges to attackers

Apple has fixed two zero-day vulnerabilities affecting iOS, iPadOS, and macOS Monterrey that may have been actively exploited.

The first exploit is a remote code execution (RCE) flaw affecting Apple’s proprietary browser engine WebKit, tracked as CVE-20220-32893.

An attacker could maliciously alter a web page and if visited by a WebKit-powered browser, then unauthorised code could run on unpatched devices.

WebKit is Apple’s browser engine and is naturally used to power the native Safari browser on currently supported iPhones and iPads. It’s also the engine that Apple compels app developers to use when building for its mobile devices.

This means even Google Chrome has to forfeit its Blink and V8 engines on iOS and iPadOS, and other browsers also have to use WebKit to pass Apple’s App Store checks.

Other apps that may not be browsers primarily, but have browsing features within them, also use WebKit to display web content which means the vulnerability may have a wide-reaching attack surface.

Devices affected by CVE-20220-32893 include iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, iPod touch (7th generation), and macOS Monterrey.

This vulnerability is the third critical WebKit bug Apple has been made to fix this year after the first two patches were released within weeks of each other at the start of the year.

The second zero-day exploit patched by Apple on Wednesday is a kernel-level code execution bug that can be abused once an attacker gains an initial foothold on an affected device.

Tracked as CVE-2022-32894, one way an attacker could achieve that initial foothold is by exploiting the aforementioned WebKit flaw, according to researchers at Sophos

This means an attacker “could jump from controlling just a single app on your device to taking over the operating system kernel itself, thus acquiring the sort of ‘administrative superpowers’ normally reserved for Apple itself,” said Paul Ducklin, principal research scientist at Sophos.

Such privileges could afford an attacker the ability to carry out activities such as spying on apps, accessing nearly all data on the device, retrieving locations, using cameras, taking screenshots, activating the microphone, and more, he said.

Like the WebKit flaw, the code required to exploit this vulnerability would have to be embedded within a maliciously crafted web page and executed after the WebKit vulnerability had already been exploited.

Related Resource

Cyber resiliency and end-user performance

Reduce risk and deliver greater business success with cyber-resilience capabilities

Whitepaper cover with title and text, and image of pyramid cyber-resilience modelFree Download

This zero-day also affects all the aforementioned iPhone and iPad devices, in addition to Macs running macOS Monterrey.

Both issues were caused by an out-of-bounds write issue and were addressed by improving the bounds checking of the vulnerable components.

The two vulnerabilities patched by Apple on Wednesday represent the sixth and seventh zero-day exploits that Apple has been forced to fix this year.

The company also patched a swathe of zero-day vulnerabilities in 2021 including the ForcedEntry exploit used by the notorious Pegasus spyware developed by NSO Group.

Featured Resources

Three ways manual coding is killing your business productivity

...and how you can fix it

Free Download

Goodbye broadcasts, hello conversations

Drive conversations across the funnel with the WhatsApp Business Platform

Free Download

Winning with multi-cloud

How to drive a competitive advantage and overcome data integration challenges

Free Download

Talking to a business should feel like messaging a friend

Managing customer conversations at scale with the WhatsApp Business Platform

Free Download

Recommended

Apple iPad Pro 12.9in (2021) review: A giant leap for Apple silicon
tablets

Apple iPad Pro 12.9in (2021) review: A giant leap for Apple silicon

30 Sep 2022
Apple patches yet another zero-day flaw in substantial security update
zero-day exploit

Apple patches yet another zero-day flaw in substantial security update

13 Sep 2022
Apple breaks update policy to secure older iPhones and iPads against zero-day
zero-day exploit

Apple breaks update policy to secure older iPhones and iPads against zero-day

1 Sep 2022
Apple expands Xcode Cloud platform with launch of paid subscriptions
software development

Apple expands Xcode Cloud platform with launch of paid subscriptions

31 Aug 2022

Most Popular

What your hybrid workforce needs from their laptops
Advertisement Feature

What your hybrid workforce needs from their laptops

21 Sep 2022
How to secure your hybrid workforce
Advertisement Feature

How to secure your hybrid workforce

23 Sep 2022
BT's new platform promises to slash AI development time from months to days
artificial intelligence (AI)

BT's new platform promises to slash AI development time from months to days

3 Oct 2022