Apple on Thursday released fixes for two critical zero-day vulnerabilities in iPhones, iPads and Macs that allow hackers dangerous access to the internals of the operating systems the devices run on.
Apple credited the discovery of both vulnerabilities to an anonymous researcher. The first vulnerability, CVE-2022-22675, is in macOS for Monterey and in iOS or iPadOS for most iPhone and iPad models. The flaw, which stems from an out-of-bounds write issue, allows hackers to execute malicious code that runs with privileges of the kernel, the most security-sensitive region of the operating system. Meanwhile, CVE-2022-22674 also results from an out-of-bounds read issue that can lead to kernel memory exposure.
Apple released bare bones details for the bugs here and here. “Apple is aware of a report that this issue may have been actively exploited,” the company wrote about both vulnerabilities.
Let Apple zero-days rain down
CVE-2022-22674 and CVE-2022-22675 are the fourth and fifth zero-days that Apple patched this year. In January, the company rushed to release patches for iOS, iPadOS, macOS Monterey, watchOS, tvOS, and HomePod Software to fix a zero-day memory corruption bug that could allow attackers to run code with kernel privileges. The bug traced as CVE-2022-22587 was in the IOMobileFrameBuffer. A separate vulnerability, CVE-2022-22594, allowed websites to track sensitive user information. The exploit code for this vulnerability was publicly released before the patch was released.
In February, Apple released a fix for a Use after the free error in the Webkit browser engine that gave attackers the ability to run malicious code on iPhones, iPads, and iTouches. Apple said reports received indicated that the vulnerability — CVE-2022-22620 — may also be actively exploited.
A
spreadsheet
Google security researchers claim tracking zero-days shows Apple fixed a total of 12 such vulnerabilities in 2021. Among them was a bug in iMessage that was targeted by the Pegasus spyware framework with a zero-click exploit, meaning that devices are compromised simply by receiving a malicious message, with no user action required. Two zero-days patched by Apple in May allowed attackers to infect cutting-edge devices.
This article was previously published on Source link