Lucene search

malwarebytesPieter ArntzMALWAREBYTES:C265FF6D1D82CDE3FB6E6C1E4248A791
HistoryJan 27, 2022 - 9:56 p.m.

Update now! Apple patches another actively used zero-day

Pieter Arntz





Apple has released patches for iOS 15.3, iPadOS 15.3, and macOS Monterey 12.2 and is urging users to update. The most significant reasons are two actively exploited zero-day vulnerabilities, one of which has a publicly disclosed Proof-of-Concept (PoC).

Using this vulnerability, designated CVE-2022-22587, a malicious app could execute random code with kernel privileges.

Why did it take so long

The zero-day appears to have been found and reported by at least two researchers independently of each other. Apple acknowledged an anonymous researcher, Meysam Firouzi (@R00tkitSMM) of MBition – Mercedes-Benz Innovation Lab, and Siddharth Aeri (@b1n4r1b01) for having reported this flaw.

The two researchers both stated that it took a long time for this bug to be acknowledged and fixed. One of them posted a Proof-of-Concept (PoC) on January 1st.

> while my californian friends are still waiting for 2022 how about a kernel oob read that works on the latest iOS 15.2 🙂 <; <;
> – binaryboy (@b1n4r1b01) January 1, 2022

The other researcher reported the issue through the Zero-Day-Initiative (ZDI) three months ago, waited for two months and then decided to report to Apple directly.

> I reported this vulnerability to @thezdi about 3 months ago and unfortunately they didn’t answer me for like 2 months, then i canceled my report and sent it to apple directly. And we see it had been exploited in the wild. <;
> – Meysam Firouzi (@R00tkitSMM) January 26, 2022

The Zero Day Initiative (ZDI) was created to encourage the reporting of zero-day vulnerabilities privately to the affected vendors by financially rewarding researchers, although there has been some complaints from researchers that they didn't feel they were taken seriously by the ZDI.


CVE-2022-22587 is a memory corruption bug in the IOMobileFrameBuffer that affects iOS, iPadOS, and macOS Monterey. IOMobileFrameBuffer is a kernel extension for managing the screen FrameBuffer. An earlier vulnerability in this extension, listed as CVE-2021-30807, was tied to the Pegasus spyware. Another one was listed as CVE-2021-30883 and also allowed an application to execute arbitrary code with kernel privileges. We hope that the input validation has now been curated to makes this impossible in the future.

Actively exploited

Apple acknowledged that it was aware of a report that this issue may have been actively exploited.

Safari Webkit bug

The second zero-day is the Safari WebKit bug in iOS and iPadOS that allowed websites to track your browsing activity and users' identities in real-time. After a researcher of FingerprintJS disclosed the bug in November, it was assigned the CVE-2022-22594 and has been fixed.


iOS 15.3 and iPadOS 15.3 fixes a total of ten security bugs. The updates are available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

iPadOS update available.

macOS Monterey 12.2 patches a total of 13 vulnerabilities in total. The latter also promises to bring smoother scrolling to MacBooks, fixing a previously reported scrolling issue in Safari.

Apple also released security fixes for legacy versions of macOS Big Sur and Catalina.

Stay safe, everyone!

The post Update now! Apple patches another actively used zero-day appeared first on Malwarebytes Labs.