Malwarebytes blogMALWAREBYTES:E9F8D9962C90DF0556F1F4180FFAA7D7[updated] Important update! iPhones, Macs, and more vulnerable to zero-day bug
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
On Monday, Apple released a long list of patched vulnerabilities to its software, including a new zero-day flaw affecting Macs and iPhones. The company revealed itβs aware that threat actors may have been actively exploiting this vulnerability, which is tracked as CVE-2022-32917.
As itβs a zero-day, nothing much is said about CVE-2022-32917, only that it may allow malformed applications to execute potentially malicious code with kernel privileges. Apple says itβs patched this flaw with improved bounds checks. Below is a list of products this bug affects:
- Macs running macOS Monterey 12.6 and macOS Big Sur 11.7
- iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
CVE-2022-32917 is the eighth zero-day flaw that Apple has addressed since the beginning of 2022. The first seven are as follows:
- CVE-2022-32894, a flaw in the iOS Kernel, was patched in August
- CVE-2022-32893, a flaw in WebKit, was patched in August
- CVE-2022-22674, an Intel Graphics Driver bug, was patched in March
- CVE-2022-22675, a bug in AppleACD, was patched in March
- CVE-2022-22620, a WebKit bug affecting iPhones, Macs, and iPads, was patched in February
- CVE-2022-22587, a privileged code execution flaw, was patched in January
- CVE-2022-22594, a web browser activity tracking flaw, was patched in January
Mitigation
Since we received a lot of questions about what actions are needed, weβre adding this section for your convenience.
The necessary updates for these vulnerabilities were included in:
- the September 12 update for macOS Big Sur 11.7.
- the September 12 update for macOS Monterey 12.6.
- the September 12 update for iOS 15.7 and iPadOS 15.7.
These should all have reached you in your regular update routines, but it doesnβt hurt to check if your device is at the latest update level.
How to update your iPhone or iPad.
If you fear your Mac has been infected, try out Malwarebytes for Mac. Or Malwarebytes for iOS for your Apple devices.
As this latest vulnerability is already being exploited, itβs really important that you update your devices as soon as you can. Stay safe!
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C