Apple has discovered two actively exploited zero-day vulnerabilities that could give attackers full access to a wide range of Apple devices, prompting the company to release security updates and urging users to apply the fixes immediately.
According to Apple, the two zero-day out-of-bounds write bugs affect iPhone 6s and later, all iPad Pro models, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later and 7th generation iPod Touch.
Specifically, the vulnerabilities (CVE-2022-32894 and CVE-2022-32893) lie in Kernel and WebKit, and attackers can exploit the vulnerabilities to execute arbitrary code with kernel privileges or use maliciously crafted web content to execute arbitrary code, respectively.
Over the last two days, Apple released iOS 15.6.1, iPadOS 15.6.1, Safari 15.6.1 and macOS Monterey 12.5.1.
According to cybersecurity firm Malwarebytes, attackers could take complete control of devices if they were able to obtain kernel privileges, and they could leverage the flaw in Webkit—which powers all iOS web browsers and Safari—to executive arbitrary code if a user is tricked into going to a malicious website.
In a blog, Malwarebytes researchers say it appears likely that these bugs were found in an active attack that chained the two together, first using the WebKit bug to run code before obtaining kernel privileges.
Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. And even then, it depends on the anonymous researcher(s) that reported the vulnerabilities whether we will ever learn the technical details. Or when someone is able to reverse engineer the update that fixes the vulnerability.
That being said, it seems likely that these vulnerabilities were found in an active attack that chained the two vulnerabilities together. The attack could, for example, be done in the form of a watering hole or as part of an exploit kit. CVE-2022-32892 could be exploited for initial code to be run. This code could be used to leverage CVE-2022-32894 to obtain kernel privileges
Apple released few other details, but the U.S. Cybersecurity and Infrastructure Security Agency says attackers could exploit these bugs to take control of an affected device. The agency urges users and administrators in organizations with Apple devices deployed to apply the updates as soon as possible.
CISA also added the bugs to its list of known exploited vulnerabilities, mandating U.S. agencies to patch the vulnerabilities by Sept. 8.
It remains to see if we’ll get more information or technical details about these bugs, but seeing as how these bugs have the attention of the U.S. government, we recommend patching these immediately.
Leave a Reply