Apple has released a series of patches to address two zero-day vulnerabilities affecting its macOS Monterey desktop operating system (OS), its iOS and iPadOS OSes, and its Safari web browser.
The two vulnerabilities are tracked as CVE-2022-32893 and CVE-2022-32894. Both are out-of-bounds write issues that affect the Safari WebKit web browser extension, and the OS kernel, respectively. Apple said it was aware of reports that both vulnerabilities may already have been actively exploited in the wild – making the need to patch more urgent.
Successfully exploited, CVE-2022-32893 enables a threat actor to achieve arbitrary code execution if the targeted user visits a maliciously crafted website. In layman’s terms, this could give them total control of the device.
CVE-2022-32894 enables a threat actor to use a malicious application to execute arbitrary code with kernel privileges, with the end effect again being to gain control of the target device. Kernel vulnerabilities are among some of the most dangerous security issues that a device can face, and so these patches should be prioritised for deployment by organisations running Apple estates.
Consumer users will also be at risk of compromise, but should bear in mind that Apple devices can and do take such updates automatically so they may already have applied the patches. Users can check their update status and download patches through Apple Menu – About this Mac – Software Update on a Mac, or Settings – General – Software Update on an iPhone or iPad.
The relevant patches update macOS Monterey to version 12.5.1, iOS and iPadOS to version 15.6.1, and Safari to version 15.6.1 for macOS Big Sur and macOS Catalina.
Unlike Microsoft, Apple does not adhere to any specific schedule for disclosing vulnerabilities or publishing fixes for them, but Comparitech’s Brian Higgins said the fact that Apple had taken the step of issuing an advisory for the two zero-days made them highly impactful.
“Sometimes platform providers release functions that are so dangerous they need to be fixed immediately to protect applications and devices, and that appears to be the case here,” he said.
“Apple usually rely on software updates to keep their platforms safe and hope that any bugs go largely unnoticed between releases. It’s very rare for them to go public like this, which means everyone should take this threat seriously and update as soon as they are able.”
Higgins added: “The big risk in publicising a major vulnerability is that now every cyber criminal on the planet knows it exists and Apple users are in a race to update their devices before they can be infected. If Apple think it’s so serious that they need to go public, then if you haven’t already installed iOS 15.6.1, you need to go and do it right now.”
Apple has patched multiple other zero-days this year, including other issues related to kernel security – CVE-2022-22674, fixed in April, was an Intel Graphics Driver vulnerability patched in macOS Monterey. It was an out-of-bounds read issue that could have led to the disclosure of kernel memory.
And back in January, Cupertino fixed CVE-2022-22586, a remote code execution (RCE) vulnerability which existed in the IOBuffer component of iOS and pre-Catalina versions of macOS.