Apple Thursday released fixes for two critical zero-day vulnerabilities in iPhones, iPads and Macs that give hackers dangerous access to the internals of the operating systems the devices run on.
Apple credited an anonymous researcher with discovering both vulnerabilities. The first vulnerability, CVE-2022-22675, resides in macOS for Monterey and iOS or iPadOS for most iPhone and iPad models. The flaw, which stems from an out-of-bounds write problem, allows hackers to execute malicious code that runs with privileges from the kernel, the most security-sensitive region of the operating system. CVE-2022-22674, meanwhile, is also due to an out-of-range read issue that could lead to kernel memory disclosure.
Apple revealed bare details for the flaws here and here. “Apple is aware of a report that this issue may have been actively exploited,” the company wrote about both vulnerabilities.
It’s raining Apple zero days
CVE-2022-22674 and CVE-2022-22675 are the fourth and fifth zero-days Apple has patched this year. In January, the company released patches for iOS, iPadOS, macOS Monterey, watchOS, tvOS, and HomePod Software to fix a zero-day memory corruption bug that would allow exploiters to run code with kernel privileges. The bug, tracked as CVE-2022-22587, was located in the IOMobileFrameBuffer. A separate vulnerability, CVE-2022-22594, allowed websites to track sensitive user information. The exploit code for that vulnerability was publicly released before the patch was released.
Apple released a fix in February for a useless bug in the Webkit browser engine that allowed attackers to execute malicious code on iPhones, iPads, and iTouches. Apple said reports it received indicated that the vulnerability – CVE-2022-22620 – may also have been actively exploited.
A spreadsheet used by Google security researchers to track zero-days shows that by 2021 Apple has fixed a total of 12 such vulnerabilities. One was a bug in iMessage that targeted the Pegasus spyware framework using a zero-click exploit, meaning that devices were infected only by receiving a malicious message, with no user action required. Two zero-days that Apple patched in May made it possible for attackers to infect fully up-to-date devices.