Apple has released an update providing a number of patches for iOS and iPadOS, including one zero-day that “may have been actively exploited".
Tracked as CVE-2022-42827, the zero-day vulnerability was the result of an out-of-bounds write error in the kernel, which could be used by threat actors to execute malicious code on the kernel level.
RELATED RESOURCE
How to trust your inbox with Cloudflare Area 1
Why your current email security may not be enough
This could allow for custom, potentially malicious programs to be run on the victim’s device, as well as putting all data on it at serious risk of exfiltration or destruction.
An out-of-bounds write error occurs when a program writes beyond the end of an intended buffer or specified array, and typically results in a crash or corruption of data. If exploited, they can be used to modify system data and execute code on impacted devices remotely.
In its post for the iOS 16.1 and iPadOS 16 security updates, Apple noted that through the flaw an “application may be able to execute arbitrary code with kernel privileges".
Beyond this, the firm offered little detail of the precise nature of the zero-day, in line with its policies on security issues and in accordance with its longstanding approach of providing little detail on security incidents.
“For the protection of our customers, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are generally available,” stated a notice in the update post.
Affected devices include all of its smartphones from iPhone 8 and above, all models of the iPad Pro, iPad Air 3rd generation and above, and iPad and iPad Mini - both 5th generation and above.
Beyond the zero-day, the latest security update also provides patches for 18 other vulnerabilities. Of these, two more were in the kernel, though these are not thought to be actively exploited, while three were in WebKit, Apple’s browser engine which powers Safari.
Other flaws were fixed in the point-to-point protocol (PPP), a TCP/IP protocol used to send data between devices, as well as in core Bluetooth and the GPU drivers.
The patch marks the ninth overall update addressing a zero-day flaw by Apple this year. In September, the tech giant patched a similar kernel vulnerability, which allowed for arbitrary code to be executed with kernel privileges. This vulnerability also affected macOS Monterey, and had been potentially exploited in the wild by the time it was patched.
In August, Apple patched a 'superpower' zero-day affecting WebKit, in which threat actors could use remote code execution (RCE) to alter web pages, which would then run malicious code on Apple devices that visited them.
More recently, earlier this month Apple was forced to release a fix for a denial of service vulnerability, tracked as CVE-2022-22658, affecting iPhones 8 and newer.
Apple said that processing a maliciously crafted message could lead to denial of service and was fixed in its iOS 16.0.3 by improving input validation.
-
Gender diversity improvements could be the key to tackling the UK's AI skills shortageNews Encouraging more women to pursue tech careers could plug huge gaps in the AI workforce
-
Researchers claim Salt Typhoon masterminds learned their trade at Cisco Network AcademyNews The Salt Typhoon hacker group has targeted telecoms operators and US National Guard networks in recent years
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Mobile app security is a huge blind spot for developer teams – 93% are confident their applications are secure, but 62% reported breaches last yearNews Organizations are overconfident about their mobile app security practices, according to new research, and it’s putting enterprises and consumers alike at risk.
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
