IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Apple patches actively exploited iPhone, iPad zero-day and 18 other security flaws

The out-of-bounds write error is the eighth actively exploited zero-day impacting Apple hardware this year and could facilitate kernel-level code execution

Apple has released an update providing a number of patches for iOS and iPadOS, including one zero-day that “may have been actively exploited".

Tracked as CVE-2022-42827, the zero-day vulnerability was the result of an out-of-bounds write error in the kernel, which could be used by threat actors to execute malicious code on the kernel level.

Related Resource

How to trust your inbox with Cloudflare Area 1

Why your current email security may not be enough

Webinar screen with title and globe graphicWatch now

This could allow for custom, potentially malicious programs to be run on the victim’s device, as well as putting all data on it at serious risk of exfiltration or destruction.

An out-of-bounds write error occurs when a program writes beyond the end of an intended buffer or specified array, and typically results in a crash or corruption of data. If exploited, they can be used to modify system data and execute code on impacted devices remotely.

In its post for the iOS 16.1 and iPadOS 16 security updates, Apple noted that through the flaw an “application may be able to execute arbitrary code with kernel privileges".

Beyond this, the firm offered little detail of the precise nature of the zero-day, in line with its policies on security issues and in accordance with its longstanding approach of providing little detail on security incidents.

“For the protection of our customers, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are generally available,” stated a notice in the update post.

Affected devices include all of its smartphones from iPhone 8 and above, all models of the iPad Pro, iPad Air 3rd generation and above, and iPad and iPad Mini - both 5th generation and above.

Beyond the zero-day, the latest security update also provides patches for 18 other vulnerabilities. Of these, two more were in the kernel, though these are not thought to be actively exploited, while three were in WebKit, Apple’s browser engine which powers Safari.

Other flaws were fixed in the point-to-point protocol (PPP), a TCP/IP protocol used to send data between devices, as well as in core Bluetooth and the GPU drivers.

The patch marks the ninth overall update addressing a zero-day flaw by Apple this year. In September, the tech giant patched a similar kernel vulnerability, which allowed for arbitrary code to be executed with kernel privileges. This vulnerability also affected macOS Monterey, and had been potentially exploited in the wild by the time it was patched.

In August, Apple patched a 'superpower' zero-day affecting WebKit, in which threat actors could use remote code execution (RCE) to alter web pages, which would then run malicious code on Apple devices that visited them.

More recently, earlier this month Apple was forced to release a fix for a denial of service vulnerability, tracked as CVE-2022-22658, affecting iPhones 8 and newer.

Apple said that processing a maliciously crafted message could lead to denial of service and was fixed in its iOS 16.0.3 by improving input validation.

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Recommended

Android vs iOS: Which mobile OS is right for you?
Mobile

Android vs iOS: Which mobile OS is right for you?

30 Nov 2022
Best business smartphones 2022: The top handsets from Apple, Samsung, Google and more
Mobile

Best business smartphones 2022: The top handsets from Apple, Samsung, Google and more

11 Nov 2022
New macOS Ventura security features make for a compelling upgrade
operating systems

New macOS Ventura security features make for a compelling upgrade

25 Oct 2022
Apple iPad Pro 12.9in (2021) review: A giant leap for Apple silicon
tablets

Apple iPad Pro 12.9in (2021) review: A giant leap for Apple silicon

30 Sep 2022

Most Popular

Empowering employees to truly work anywhere
Sponsored

Empowering employees to truly work anywhere

22 Nov 2022
Salesforce co-CEO Bret Taylor resigns with cryptic parting message
Business operations

Salesforce co-CEO Bret Taylor resigns with cryptic parting message

1 Dec 2022
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022