Apple today released an important security update to three of its devices – iPad, iPhone, and Mac to patch two critical zero-day vulnerabilities in them.
While one is infested in the operating system’s kernel, the other was found in Apple’s WebKit – used by Safari as a browser engine. Since both these tools are core to Apple’s devices and work with full privileges, they constitute to greater harm if not patched. Apple has also noted active exploration of these bugs even before the patch is released.
Security Vulnerabilities in Apple Devices
Zero-day bugs are something that hasn’t been acknowledged by the OEM or released a patch before the hackers spotted them and started exploiting them. They’re termed as serious issues since they sometimes give full privileges to the attackers, and victims can’t do anything but watch until a formal patch from the OEM arrive.
One such case has hit the Apple ecosystem, where two zero-day vulnerabilities are spotted in iPhones, iPads, and Macs – which let attackers takeover the target system and run with full privileges. The first one is tracked as CVE-2022-32894 and is an out-of-bounds write vulnerability in the OS Kernel.
While the second one is tracked as CVE-2022-32893 and is an out-of-bounds write vulnerability in WebKit – a web browser engine used by Apple’s Safari and other apps to access the web. This could potentially allow the attacker to perform remote code execution and by making the target visit a maliciously crafted website.
And since they give attackers the highest privilege level, they would let them do anything with it. Below are the affected Apple devices for these two bugs;
- Macs running macOS Monterey
- iPhone 6s and later
- iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
Securing them, Apple released macOS Monterey 12.5.1, iOS 15.6.1, and iPadOS 15.6.1 to resolve the two zero-day vulnerabilities in these devices. Though Apple disclosed active exploitations of these two bugs, it didn’t share more details on that issue.