The seventh zero-day vulnerability that has been exploited in assaults against iPhones and Macs since the year’s beginning has been fixed by Apple with security patches.
Apple acknowledged they are aware of allegations claiming that this security hole “may have been actively exploited” in security warnings released on Monday.
A maliciously constructed programme may be able to execute arbitrary code with kernel privileges thanks to the flaw (tagged as CVE-2022-32917).
It was reported to Apple by an unnamed researcher, and it was fixed with better bounds checks in iOS 15.7, iPadOS 15.7, macOS Monterey 12.6, and macOS Big Sur 11.7.
The full list of impacted devices is as follows:
iPhone 6s and later, all models of the iPad Pro, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and the 7th-generation iPod touch
Moreover, Macs running macOS Monterey 12.6 and macOS Big Sur 11.7
After issuing additional security updates on August 31 to fix the same flaw on iOS versions running on older iPhones and iPads, Apple also backported remedies for a second zero-day (CVE-2022-32894) to Macs running macOS Big Sur 11.7.
Apple hasn’t yet provided any details about these assaults, despite the fact that the company acknowledged active exploitation of this vulnerability in the wild.
Apple’s decision to withhold this information suggests that it wants to provide as many users as possible the opportunity to fix their devices before other attackers create their own exploits and begin employing them in attacks on vulnerable Macs and iPhones.
Since the beginning of the year, Apple has patched eight zero-day vulnerabilities:
- It corrected two zero-day flaws in WebKit (CVE-2022-32894) and the iOS Kernel in August (CVE-2022-32893)
- Apple fixed two zero-day flaws in the AppleAVD and the Intel Graphics Driver in March (CVE-2022-22675).
- Apple provided security fixes in February to address yet another WebKit zero-day flaw that had been used in attacks against iPhones, iPads, and Macs.
- Apple fixed two additional exploited zero-days that allowed for tracking web surfing activity and kernel privilege code execution in January (CVE-2022-22587) (CVE-2022-22594).
Installing these security upgrades as soon as you can is still strongly encouraged in order to thwart attack efforts, even if it is likely that this zero-day was only utilised in highly-targeted attacks.
