Apple has released updates to its products that, among other things, fix two 0-day vulnerabilities already used by attackers to hack iPhone, iPad and Mac.
Let me remind you that we also wrote that Apple leaves critical bugs unpatched in macOS, Big Sur and Catalina, and also that the Research team uncovered 55 vulnerabilities in Apple products.Both vulnerabilities are the same for all three operating systems, and were fixed in macOS Monterey 12.5.1 and iOS 15.6.1 and iPadOS 15.6.1. The list of devices for which they posed a danger looks like this:
- Mac running macOS Monterey;
- iPhone 6s and newer;
- iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
The first bug has the ID CVE-2022-32894 and is an out-of-bounds write problem in the OS kernel. The developers explain that any application (including malicious ones) can use this vulnerability to execute arbitrary code with kernel privileges. Since this is the highest level of privilege, the process is able to execute any command on the device, effectively gaining full control over it.
The second bug, CVE-2022-32893, is also an out-of-bounds writing problem, but in WebKit (the engine used by Safari and other applications that can access the Internet). Apple says this vulnerability also allows arbitrary code execution. Since the vulnerability was found in a web engine, it is likely that it could be exploited remotely, simply by visiting a malicious site.
Unfortunately, Apple does not provide any details about the exploitation of these problems in real attacks, although it emphasizes that hackers could already use them. It can be assumed that 0-day vulnerabilities were used in targeted attacks, as is often the case with bugs in Apple devices.
It is also not reported any details about discovery of these vulnerabilities. In all cases, the company refers to the researcher, who wished to remain anonymous.
It is worth noting that following the patches for the OS, the company’s engineers released a separate update for their browser (Safari 15.6.1 for macOS Big Sur and Catalina), in which they eliminated the same 0-day in WebKit – CVE-2022-32893.