Apple has issued an out-of-sequence patch for two newly disclosed zero-day vulnerabilities affecting iPad, iPhone and Mac products, which appear to have been actively exploited by malicious actors.
Disclosed by an anonymous security researcher, the vulnerabilities are being tracked as CVE-2022-22674 and CVE-22675, respectively. They are the fourth and fifth zero-days found in Apple kit this year to date.
CVE-2022-22674 exists in the Intel Graphics Driver and is patched in macOS Monterey only. It is an out-of-bounds read issue that, if exploited, leads to the disclosure of kernel memory.
CVE-2022-22675 exists in the AppleAVD audio and video decoding framework for macOS Monterey, iPhone 6s and later, all models of iPad Pro, iPad Air 2 and later, iPad fifth generation and later, iPad Mini 4 and later, and iPod Touch seventh generation.
This vulnerability is an out-of-bounds write issue that, if exploited, enables an application to execute arbitrary code with kernel privileges.
Sophos’s Paul Ducklin said such kernel vulnerabilities were, broadly speaking, some of the more potentially dangerous issues that could impact Apple devices.
This is because if they can access the kernel, a malicious actor “pretty much has access-all-areas privileges” on the target device, which in a worst-case scenario would enable them to take full control of it, he said.
Bearing in mind that Apple devices are capable of taking such updates automatically, and, as such, many will have already received the patches, users can check their update status and download them by going to Apple Menu – About this Mac – Software Update on a Mac, or Settings – General – Software Update on an iPhone or iPad.
The new patched version of macOS Monterey is 12.3.1, and the patched version of iOS and iPadOS is 15.4.1.
If you do not have automatic updates turned on, you should do this today, as ESET’s Jake Moore said: “When such flaws are located in the wild, it is a race against time for those looking to find a solution. When Apple pushes out a fix in a patch, it is vital that users update at the earliest convenience and do not procrastinate.
“Many people often feel overwhelmed by the quantity of updates sent by Apple and Android, but these are for the benefit of the device and the owner. Threat actors constantly tailor their attacks to any given vulnerability. Luckily, these updates are never too far behind, but must be installed immediately to take effect.”