Apple has released updates to its products that, among other things, fix two zero-day vulnerabilities already used by attackers to hack iPhone, iPad, and Mac.
Both vulnerabilities are the same for all three operating systems and were fixed in macOS Monterey 12.5.1 and iOS 15.6.1 and iPadOS 15.6.1.
The first bug has the ID CVE-2022-32894 and is an out-of-bounds write problem in the OS kernel. The developers explain that any application (including malicious ones) can use this vulnerability to execute arbitrary code with kernel privileges. Since this is the highest level of privilege, the process is able to execute any command on the device, effectively gaining full control over it.
The second bug, CVE-2022-32893, is also an out-of-bounds writing problem, but in WebKit (the engine used by Safari and other applications that can access the Internet). Apple says this vulnerability also allows arbitrary code execution. Since the vulnerability was found in a web engine, it is likely that it could be exploited remotely, simply by visiting a malicious site.
Unfortunately, Apple does not provide any details about the exploitation of these problems in real attacks, although it emphasizes that hackers could already use them. It can be assumed that 0-day vulnerabilities were used in targeted attacks, as is often the case with bugs in Apple devices.
It is also not reported who and when these vulnerabilities were discovered. In all cases, the company refers to the researcher, who wished to remain anonymous.
It is worth noting that following the patches for the OS, the company’s engineers released a separate update for their bra. user (Safari 15.6.1 for macOS Big Sur and Catalina), which eliminated the same 0-day in WebKit – CVE-2022-32893.