Apple rushed out patches for 2 zero-days affecting macOS & iOS Thur., both of which are likely under active exploitation & could allow a threat actor to disrupt or access kernel activity.
The vulnerabilities could allow threat players to disrupt or access kernel activity & may be under active exploit.
Apple released separate security updates for the bugs – a vulnerability affecting both macOS & iOS tracked as CVE-2022-22675 & a macOS flaw tracked as CVE-2022-22674. Their discovery was attributed to an anonymous researcher.
Arbitrary Code
CVE-2022-22675 – found in the AppleAVD component present in both macOS & iOS – could allow an application to execute arbitrary code with kernel privileges, according to the advisory.
“An out-of-bounds write issue was addressed with improved bounds checking,” according to the advisory. “Apple is aware of a report that this issue may have been actively exploited.”
Intel Graphics Driver
CVE-2022-22674 is described in the advisory as an “out-of-bounds read issue” in the Intel Graphics Driver of macOS that could allow an application to read kernel memory. Apple addressed the bug – which also may have been actively exploited – with improved input validation, the company stated.
Apple did not disclose more specifics on the issues & what exploits may be occurring. It will not do so until it completes its investigation of the vulnerabilities, according to the advisory. However, customers are urged to update devices as soon as possible to patch the bugs.
Zero-Day
The vulnerabilities represent the 4th and 5th zero-day flaws patched by Apple this year.
That number is well on track to meet or supersede the number of these types of vulnerabilities that Apple was forced to respond to with fixes last year, which was 12, according to security researchers at Google, which keeps a spreadsheet of zero-day flaws categorised by vendor.
Safari
To start off 2022, in Jan., Apple patched 2x zero-day bugs, 1 in its device OSes & another in the Web Kit engine at the foundation of its Safari browser.
In Feb., Apple fixed another actively exploited Web Kit bug, a use-after-free issue that allowed threat players to execute arbitrary code on affected devices after they process maliciously crafted web content.
Last year, the company dealt with a number of Web Kit zero-days as well as other key fixes that required emergency updates for its various OSes, according to the Google spreadsheet.
Security Controversies
One of those flaws was at the centre of 1 of the biggest security controversies of the year – a zero-click vulnerability targeting iMessage dubbed “Forced Entry” that NSO Group’s Pegasus spyware allegedly exploited to spy on activists & journalists.
The situation eventually led to legal action being taken against the Israeli-based company by Facebook/Meta subsidiary WhatsApp as well as Apple.
