Apple issues emergency patches to fix actively exploited zero-days

Apple released emergency patches to address two zero-day vulnerabilities actively exploited to compromise iPhones, iPads, and Macs.

Apple has released emergency security patches to address two zero-day vulnerabilities actively exploited to hack iPhones, iPads, and Macs.

The first zero-day, tracked as CVE-2022-22674, is an out-of-bounds read issue that resides in the Intel Graphics Driver that could allow malicious apps to read kernel memory.

“An out-of-bounds read issue may lead to the disclosure of kernel memory and was addressed with improved input validation. Apple is aware of a report that this issue may have been actively exploited.” reads the advisory published by the IT giant.

The second flaw, tracked as CVE-2022-22675, is an out-of-bounds write issue that affects the AppleAVD media decoder. The exploitation of the issue can lead to read kernel memory that will enable apps to execute arbitrary code with kernel privileges.

“An application may be able to execute arbitrary code with kernel privileges.” reads the advisory. “An out-of-bounds write issue was addressed with improved bounds checking. Apple is aware of a report that this issue may have been actively exploited.“

Both zero-day flaws were reported by anonymous researchers and by Apple addressed them with the release of iOS 15.4.1, iPadOS 15.4.1, and macOS Monterey 12.3.1. Apple addressed them with improved input validation and bounds checking, respectively.

Apple did not disclose any detail about the exploitation of the vulnerabilities in the wild.

Users are recommended to immediately install the security updates as soon as possible.

Apple addressed other three actively exploited vulnerabilities since January. In February, Apple has addressed a zero-day vulnerability, tracked as CVE-2022-22620, in the WebKit affecting iOS, iPadOS, macOS, and Safari. The flaw was a use after free issue that could be triggered by processing maliciously crafted web content, leading to arbitrary code execution.

In January, the company has addressed another couple of zero-day vulnerabilities tracked as CVE-2022-22587 and CVE-2022-22594 respectively. An attacker could have exploited the flaws to run arbitrary code on the vulnerable devices and track users’ online activity in the web browser.In January, Apple patched two more actively exploited zero-days that can enable attackers to achieve arbitrary code execution with kernel privileges (CVE-2022-22587) and track web browsing activity and the users’ identities in real-time (CVE-2022-22594).

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Apple)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.