Apple issued security updates to fix zero-day vulnerabilities that were reportedly being actively exploited. The vulnerabilities could let an attacker execute arbitrary code on iPhone, iPad, and Mac devices and even take control of them.
Apple has not published any proof-of-concept attacks but disclosed the affected products:
- macOS Monterey
- iPhone 6S and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad Mini 4 and later, iPod Touch (7th generation)
About the Apple Zero-Days
The vulnerabilities that affect mentioned Apple devices are tracked as CVE-2022-32893 and CVE-2022-32894, and the vendor described them as out-of-bounds write vulnerabilities. They are more likely to be exploited in targeted attacks.
CVE-2022-32893 exists in WebKit, a web browser engine used by Safari. This flaw could be remotely exploited by malicious websites a user clicks into and let the attacker execute arbitrary code.
The vulnerability identified as CVE-2022-32894 resides in the operating system’s Kernel. A malicious app can exploit it to execute code on Kernel-level privilege. Any command could be executed on the device by a process running with the Kernel privilege, and it could enable the attacker to control the device.
The vulnerabilities have been fixed with improved bounds checking.
Apple has fixed more zero-days throughout the year. The recent ones also existed in Kernel. Fixed in a March security update, CVE-2022-22674 results in Kernel memory exposure to local users, and CVE-2022-22675 lets an attacker execute arbitrary code.
How to Mitigate?
For Apple vulnerabilities, it is advised to apply vendor’s security updates soon to avoid exposure risks.
Check below for information about the security updates provided by Apple:
Google Rolls Out Fix for Exploited Chrome Zero-Day
Google’s security update for the Chrome browser fixes several flaws, including the fifth zero-day this year. The vulnerability is identified as CVE-2022-2856 and presents as a high-severity risk, it is said to be still exploited in the wild, but Google has not shared technical details yet. It is caused by a browser feature that allows launching web services and apps directly from a web page. It is described as “Insufficient validation of untrusted input in Intents.”
Lack of input validation can make way to override security protections and exceed intended functionality, as well as lead to consequences such as:
- SQL and null-byte injection
- Cross-site scripting
- Buffer overflow
- Directory traversal
Google has released a security update for 11 vulnerabilities, including zero-day. It recommends the immediate application of these updates, which are available for Windows, Mac, and Linux systems.