Apple Releases iOS and macOS Updates to Patch Actively Exploited Zero-Day Flaw


[![iOS and macOS Updates](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjBAbKGPJ0333Ymy0pNRh1c2YnrPqm6TS2UIjUjovslcTAhZDG3ZiJL2NUGwYskLCWmfGgOrY2C7Oc4f0mSnUJpQx8uiCxQx1F8ThJNkKWy0mvxkKZyYnL5JSm5bgrDyPNaikwN2eUSslZnjTx6WxpApYeSvWf5SyIsbvk-dvrtzyNCGFSdpQF6zVtW/s728-e1000/apple-software-update.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjBAbKGPJ0333Ymy0pNRh1c2YnrPqm6TS2UIjUjovslcTAhZDG3ZiJL2NUGwYskLCWmfGgOrY2C7Oc4f0mSnUJpQx8uiCxQx1F8ThJNkKWy0mvxkKZyYnL5JSm5bgrDyPNaikwN2eUSslZnjTx6WxpApYeSvWf5SyIsbvk-dvrtzyNCGFSdpQF6zVtW/s728-e100/apple-software-update.jpg>) Apple has released another round of security updates to address multiple vulnerabilities in iOS and macOS, including a new zero-day flaw that has been used in attacks in the wild. The issue, assigned the identifier **CVE-2022-32917**, is rooted in the Kernel component and could enable a malicious app to execute arbitrary code with kernel privileges. "Apple is aware of a report that this issue may have been actively exploited," the iPhone maker acknowledged in a brief statement, adding it resolved the bug with improved bound checks. An anonymous researcher has been credited with reporting the shortcoming. It's worth noting that CVE-2022-32917 is also the [second Kernel related zero-day flaw](<https://thehackernews.com/2022/08/apple-releases-security-updates-to.html>) that Apple has remediated in less than a month. Patches are available in versions [iOS 15.7, iPadOS 15.7](<https://support.apple.com/en-us/HT213445>), [iOS 16](<https://support.apple.com/en-us/HT213446>), [macOS Big Sur 11.7](<https://support.apple.com/en-us/HT213443>), and [macOS Monterey 12.6](<https://support.apple.com/en-us/HT213444>). The iOS and iPadOS updates cover iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). With the latest fixes, Apple has addressed seven actively exploited zero-day flaws and one publicly-known zero-day vulnerability since the start of the year - * [**CVE-2022-22587**](<https://thehackernews.com/2022/01/apple-releases-ios-and-ipados-updates.html>) (IOMobileFrameBuffer) – A malicious application may be able to execute arbitrary code with kernel privileges * [**CVE-2022-22594**](<https://thehackernews.com/2022/01/apple-releases-ios-and-ipados-updates.html>) (WebKit Storage) – A website may be able to track sensitive user information (publicly known but not actively exploited) * [**CVE-2022-22620**](<https://thehackernews.com/2022/02/apple-releases-ios-ipados-macos-updates.html>) (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution * [**CVE-2022-22674**](<https://thehackernews.com/2022/03/apple-issues-patches-for-2-actively.html>) (Intel Graphics Driver) – An application may be able to read kernel memory * [**CVE-2022-22675**](<https://thehackernews.com/2022/03/apple-issues-patches-for-2-actively.html>) (AppleAVD) – An application may be able to execute arbitrary code with kernel privileges * [**CVE-2022-32893**](<https://thehackernews.com/2022/08/apple-releases-security-updates-to.html>) (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution * [**CVE-2022-32894**](<https://thehackernews.com/2022/08/apple-releases-security-updates-to.html>) (Kernel) – An application may be able to execute arbitrary code with kernel privileges Besides CVE-2022-32917, Apple has plugged 10 security holes in iOS 16, spanning Contacts, Kernel Maps, MediaLibrary, Safari, and WebKit. The iOS 16 update is also notable for incorporating a new [Lockdown Mode](<https://thehackernews.com/2022/07/apples-new-lockdown-mode-protects.html>) that's designed to make zero-click attacks harder. iOS further introduces a feature called [Rapid Security Response](<https://thehackernews.com/2022/06/apples-new-feature-will-install.html>) that makes it possible for users to automatically install security fixes on iOS devices without a full operating system update. "Rapid Security Responses deliver important security improvements more quickly, before they become part of other improvements in a future software update," Apple said in a [revised support document](<https://support.apple.com/en-us/HT204204>) published on Monday. Lastly, iOS 16 also brings support for [passkeys](<https://thehackernews.com/2022/05/google-to-add-passwordless.html>) in the Safari web browser, a passwordless sign-in mechanism that allows users to log in to websites and services by authenticating via Touch ID or Face ID. Found this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter __](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.