Apple on Thursday released fixes for two critical zero-day vulnerabilities in iPhones, iPads, and Macs that give hackers dangerous access to the internals of the OSes the devices run on.
Apple credited an anonymous researcher with discovering both vulnerabilities. The first vulnerability, CVE-2022-22675, resides in macOS for Monterey and in iOS or iPadOS for most iPhone and iPad models. The flaw, which stems from an out-of-bounds write issue, gives hackers the ability to execute malicious code that runs with privileges of the kernel, the most security-sensitive region of the OS. CVE-2022-22674, meanwhile, also results from an out-of-bounds read issue that can lead to the disclosure of kernel memory.
Apple disclosed bare-bones details for the flaws here and here. “Apple is aware of a report that this issue may have been actively exploited,” the company wrote of both vulnerabilities.
Raining down Apple zero-days
CVE-2022-22674 and CVE-2022-22675 are the fourth and fifth zero-days Apple has patched this year. In January, the company rushed out patches for iOS, iPadOS, macOS Monterey, watchOS, tvOS, and HomePod Software to fix a zero-day memory corruption flaw that could give exploiters the ability to execute code with kernel privileges. The bug, tracked as CVE-2022-22587, resided in the IOMobileFrameBuffer. A separate vulnerability, CVE-2022-22594, made it possible for websites to track sensitive user information. The exploit code for that vulnerability was released publicly prior to the patch being issued.
Apple in February pushed out a fix for a use after free bug in the Webkit browser engine that gave attackers the ability to run malicious code on iPhones, iPads, and iTouches. Apple said that reports it received indicated the vulnerability—CVE-2022-22620—might also have been actively exploited.
A spreadsheet Google security researchers maintain to track zero-days shows Apple fixed a total of 12 such vulnerabilities in 2021. Among those was a flaw in iMessage that the Pegasus spyware framework was targeting using a zero-click exploit, meaning devices were infected merely by receiving a malicious message, without any user action required. Two zero-days that Apple patched in May made it possible for attackers to infect fully up-to-date devices.
