Update now! Apple patches another actively used zero-day


Apple has released patches for iOS 15.3, iPadOS 15.3, and macOS Monterey 12.2 and is urging users to update. The most significant reasons are two actively exploited zero-day vulnerabilities, one of which has a publicly disclosed Proof-of-Concept (PoC). Using this vulnerability, designated [CVE-2022-22587](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22587>), a malicious app could execute random code with kernel privileges. ## Why did it take so long The zero-day appears to have been found and reported by at least two researchers independently of each other. Apple acknowledged an anonymous researcher, Meysam Firouzi (@R00tkitSMM) of MBition – Mercedes-Benz Innovation Lab, and Siddharth Aeri (@b1n4r1b01) for having reported this flaw. The two researchers both stated that it took a long time for this bug to be acknowledged and fixed. One of them posted a Proof-of-Concept (PoC) on January 1st. > while my californian friends are still waiting for 2022 how about a kernel oob read that works on the latest iOS 15.2 ![🙂](https://s.w.org/images/core/emoji/13.1.0/72x72/1f642.png) <https://t.co/qo0WLLsQIV> <https://t.co/HZA0y5Sghi> > > -- binaryboy (@b1n4r1b01) [January 1, 2022](<https://twitter.com/b1n4r1b01/status/1477172028524355585?ref_src=twsrc%5Etfw>) The other researcher reported the issue through the Zero-Day-Initiative (ZDI) three months ago, waited for two months and then decided to report to Apple directly. > I reported this vulnerability to [@thezdi](<https://twitter.com/thezdi?ref_src=twsrc%5Etfw>) about 3 months ago and unfortunately they didn’t answer me for like 2 months, then i canceled my report and sent it to apple directly. And we see it had been exploited in the wild. <https://t.co/RjnjiY4esr> > > -- Meysam Firouzi (@R00tkitSMM) [January 26, 2022](<https://twitter.com/R00tkitSMM/status/1486477431431065601?ref_src=twsrc%5Etfw>) The Zero Day Initiative (ZDI) was created to encourage the reporting of zero-day vulnerabilities privately to the affected vendors by financially rewarding researchers, although there has been some complaints from researchers that they didn't feel they were taken seriously by the ZDI. ## IOMobileFrameBuffer CVE-2022-22587 is a memory corruption bug in the IOMobileFrameBuffer that affects iOS, iPadOS, and macOS Monterey. IOMobileFrameBuffer is a kernel extension for managing the screen FrameBuffer. An earlier vulnerability in this extension, listed as [CVE-2021-30807](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30807>), was tied to the [Pegasus spyware](<https://blog.malwarebytes.com/privacy-2/2021/07/pegasus-spyware-has-been-here-for-years-we-must-stop-ignoring-it/>). Another one was listed as [CVE-2021-30883](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30883>) and also allowed an application to execute arbitrary code with kernel privileges. We hope that the input validation has now been curated to makes this impossible in the future. ## Actively exploited Apple [acknowledged](<https://support.apple.com/en-us/HT213053>) that it was aware of a report that this issue may have been actively exploited. ## Safari Webkit bug The second zero-day is the Safari WebKit bug in iOS and iPadOS that [allowed websites to track your browsing activity and users' identities](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/01/browsers-on-ios-ipados-and-mac-leak-your-browsing-activity-and-personal-identifiers/>) in real-time. After a researcher of FingerprintJS disclosed the bug in November, it was assigned the [CVE-2022-22594](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22594>) and has been fixed. ## Updates iOS 15.3 and iPadOS 15.3 fixes a total of ten security bugs. The updates are available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). ![iPadOS update available.](https://blog.malwarebytes.com/wp-content/uploads/2022/01/Update_available-600x486.png) macOS Monterey 12.2 patches a total of 13 vulnerabilities in total. The latter also promises to bring smoother scrolling to MacBooks, fixing a previously reported scrolling issue in Safari. Apple also released security fixes for legacy versions of macOS Big Sur and Catalina. Stay safe, everyone! The post [Update now! Apple patches another actively used zero-day](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/01/update-now-apple-patches-another-actively-used-zero-day/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).