Apple Releases Security Updates to Patch Two New Zero-Day Vulnerabilities

Apple on Wednesday released security updates for iOS,
iPadOS^[1], and macOS^[2] platforms to remediate
two zero-day vulnerabilities previously exploited by threat actors
to compromise its devices.

The list of issues is below –

• CVE-2022-32893 – An out-of-bounds issue in
  WebKit which could lead to the execution of arbitrary code by
  processing a specially crafted web content
• CVE-2022-32894 – An out-of-bounds issue in the
  operating system’s Kernel that could be abused by a malicious
  application to execute arbitrary code with the highest
  privileges

Apple said it addressed both the issues with improved bounds
checking, adding it’s aware the vulnerabilities “may have been
actively exploited.”

The company did not disclose any additional information
regarding these attacks or the identities of the threat actors
perpetrating them, although it’s likely that they were abused as
part of highly-targeted intrusions.

The latest update brings the total number of zero-days patched
by Apple to six since the start of the year –

• CVE-2022-22587^[3] (IOMobileFrameBuffer) –
  A malicious application may be able to execute arbitrary code with
  kernel privileges
• CVE-2022-22620^[4] (WebKit) – Processing
  maliciously crafted web content may lead to arbitrary code
  execution
• CVE-2022-22674^[5] (Intel Graphics Driver)
  – An application may be able to read kernel memory
• CVE-2022-22675^[6] (AppleAVD) – An
  application may be able to execute arbitrary code with kernel
  privileges

Both the vulnerabilities have been fixed in iOS 15.6.1, iPadOS
15.6.1, and macOS Monterey 12.5.1. The iOS and iPadOS updates are
available for iPhone 6s and later, iPad Pro (all models), iPad Air
2 and later, iPad 5th generation and later, iPad mini 4 and later,
and iPod touch (7th generation).