Apple on Thursday released fixes for two critical zero-day vulnerabilities in iPhone, iPad and Mac devices, which give hackers dangerous access to the internals of the hardware operating systems the devices run on.
Apple credited an anonymous researcher with discovering both vulnerabilities. The first vulnerability, CVE-2022-22675, is in macOS for Monterey and in iOS or iPadOS for most iPhone and iPad models. The flaw, which stems from an out-of-bounds writing problem, gives hackers the ability to execute malicious code that runs with kernel privileges, the operating system’s most security-sensitive area. At the same time, CVE-2022-22674 also results in an out-of-bounds read issue that can lead to kernel memory detection.
Apple revealed accurate details of the flaw here And the here. The company wrote about both vulnerabilities: “Apple is aware of a report that this issue may have been actively exploited.”
raining apple zero days
CVE-2022-22674 and CVE-2022-22675 are the fourth and fifth zero-days that Apple corrects this year. In January, the company quickly released patches for iOS, iPadOS, macOS Monterey, watchOS, tvOS, and HomePod. Fix zero-day memory corruption bug It can give exploiters the ability to execute code with kernel privileges. The bug, which is tracked as CVE-2022-22587, is in IOMobileFrameBuffer. A separate vulnerability, CVE-2022-22594, made it possible for websites to track sensitive user information. The exploit code for this vulnerability was released publicly prior to the release of the patch.
Apple in February pushed a fix for Use after bug free Into the Webkit browser engine that gave attackers the ability to run malicious code on iPhones, iPads, and iTouches. Apple said reports it has received indicate that the vulnerability – CVE-2022-22620 – may have been actively exploited.
a Table Google security researchers keep track of zero days showing that Apple fixed a total of 12 of these vulnerabilities in 2021. Among them was a flaw in iMessage that the Pegasus spyware framework was targeting with Exploit zero clicks, which means that the devices were infected as soon as they received a malicious message, without requiring any action from the user. Zero Day That Apple Corrected in May It made it possible for attackers to infect fully updated devices.
“Typical beer trailblazer. Hipster-friendly web buff. Certified alcohol fanatic. Internetaholic. Infuriatingly humble zombie lover.”