Lucene search

K
thnThe Hacker NewsTHN:B7C3E2FB36F3AC7424BD3AE9F877CF3C
HistoryApr 01, 2022 - 2:43 a.m.

Apple Issues Patches for 2 Actively Exploited Zero-Days in iPhone, iPad and Mac Devices

2022-04-0102:43:00
The Hacker News
thehackernews.com
97
zero-day vulnerabilities
apple
iphone
ipad
mac
exploited
emergency patches
cve-2022-22675
cve-2022-22674
out-of-bounds write
out-of-bounds read
kernel privileges
ios 15.4.1
ipados 15.4.1
macos monterey 12.3.1
tvos 15.4.1
watchos 8.5.1

EPSS

0.003

Percentile

70.6%

Apple on Thursday rolled out emergency patches to address two zero-day flaws in its mobile and desktop operating systems that it said may have been exploited in the wild.

The shortcomings have been fixed as part of updates to iOS and iPadOS 15.4.1, macOS Monterey 12.3.1, tvOS 15.4.1, and watchOS 8.5.1. Both the vulnerabilities have been reported to Apple anonymously.

Tracked as CVE-2022-22675, the issue has been described as an out-of-bounds write vulnerability in an audio and video decoding component called AppleAVD that could allow an application to execute arbitrary code with kernel privileges.

Apple said the defect was resolved with improved bounds checking, adding it’s aware that β€œthis issue may have been actively exploited.”

The latest version of macOS Monterey, besides fixing CVE-2022-22675, also includes remediation for CVE-2022-22674, an out-of-bounds read issue in the Intel Graphics Driver module that could enable a malicious actor to read kernel memory.

The bug was β€œaddressed with improved input validation,” the iPhone maker noted, once again stating there’s evidence of active exploitation, while withholding additional details to prevent further abuse.

The latest updates bring the total number of actively exploited zero-days patched by Apple to four since the start of year, not to mention a publicly disclosed flaw in the IndexedDB API (CVE-2022-22594), which could be weaponized by a malicious website to track users’ online activity and identities in the web browser.

  • CVE-2022-22587 (IOMobileFrameBuffer) – A malicious application may be able to execute arbitrary code with kernel privileges
  • CVE-2022-22620 (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution

In light of active exploitation of the flaws, Apple iPhone, iPad, and Mac users are highly recommended to upgrade to the latest versions of the software as soon as possible to mitigate potential threats.

The iOS and iPad updates are available to iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

Found this article interesting? Follow THN on Facebook, Twitter ο‚™ and LinkedIn to read more exclusive content we post.