• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Subscribe
  • Project of the Week
  • About Us
    SEARCH
Compliance, IT Infrastructure, Network Security, News

Patch Now: Apple Releases Fixes for Two Actively Exploited Zero-Day Bugs

Apple has discovered two actively exploited zero-day vulnerabilities that could give attackers full access to a wide range of Apple devices.

August 19, 2022 Zachary Comeau Leave a Comment

Microsoft Apple macOS bug

Apple has discovered two actively exploited zero-day vulnerabilities that could give attackers full access to a wide range of Apple devices, prompting the company to release security updates and urging users to apply the fixes immediately.

According to Apple, the two zero-day out-of-bounds write bugs affect iPhone 6s and later, all iPad Pro models, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later and 7th generation iPod Touch.

Specifically, the vulnerabilities (CVE-2022-32894 and CVE-2022-32893) lie in Kernel and WebKit, and attackers can exploit the vulnerabilities to execute arbitrary code with kernel privileges or use maliciously crafted web content to execute arbitrary code, respectively.

Over the last two days, Apple released iOS 15.6.1, iPadOS 15.6.1, Safari 15.6.1 and macOS Monterey 12.5.1.

According to cybersecurity firm Malwarebytes, attackers could take complete control of devices if they were able to obtain kernel privileges, and they could leverage the flaw in Webkit—which powers all iOS web browsers and Safari—to executive arbitrary code if a user is tricked into going to a malicious website.

In a blog, Malwarebytes researchers say it appears likely that these bugs were found in an active attack that chained the two together, first using the WebKit bug to run code before obtaining kernel privileges.

Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. And even then, it depends on the anonymous researcher(s) that reported the vulnerabilities whether we will ever learn the technical details. Or when someone is able to reverse engineer the update that fixes the vulnerability.

That being said, it seems likely that these vulnerabilities were found in an active attack that chained the two vulnerabilities together. The attack could, for example, be done in the form of a watering hole or as part of an exploit kit. CVE-2022-32892 could be exploited for initial code to be run. This code could be used to leverage CVE-2022-32894 to obtain kernel privileges

Apple released few other details, but the U.S. Cybersecurity and Infrastructure Security Agency says attackers could exploit these bugs to take control of an affected device. The agency urges users and administrators in organizations with Apple devices deployed to apply the updates as soon as possible.

CISA also added the bugs to its list of known exploited vulnerabilities, mandating U.S. agencies to patch the vulnerabilities by Sept. 8.

It remains to see if we’ll get more information or technical details about these bugs, but seeing as how these bugs have the attention of the U.S. government, we recommend patching these immediately.

Tagged With: Apple, CISA, Vulnerability Management, zero-day

Related Content:

  • Barracuda networks ransomware, cyberinurance Ransomware Actors May Be Targeting Organizations With Cyber…
  • Bitwarden Secrets manager Bitwarden Releases Beta of Secrets Manager for DevOps…
  • AVer PTZ cameras, the PTZ310UNV2 and PTZ310UV2. AVer Introduces 4K 12X AI PTZ Cameras
  • Cisco Webex Board Pro, MIcrosoft Teams, Webex You Can Now Natively Run Microsoft Teams Rooms…

Free downloadable guide you may like:

  • Four IT Trends That Will Define 2023Expert Series: Four IT Trends That Will Define 2023

    Learn about four key technologies we identified as critical to your IT organization’s success in 2023, as well as how to invest in new innovations emerging from each.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Get the FREE Tech Decisions eNewsletter

Sign up Today!

Latest Downloads

Four IT Trends That Will Define 2023
Expert Series: Four IT Trends That Will Define 2023

Learn about four key technologies we identified as critical to your IT organization’s success in 2023, as well as how to invest in new innovations ...

Harnessing the Power of Digital Signage
Harnessing the Power of Digital Signage

Choosing the best solutions for messaging, branding, and communicating in today’s content-everywhere landscape

Blueprint Series Cover: What works for hybrid work
Blueprint Series: What Works for Hybrid Work

Download this free resource to learn about how IT leaders can effectively manage and implement a hybrid work model.

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!
Sharp Microsoft Collaboration HQ Logo

Learn More About the
Windows Collaboration Display

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Subscribe to the Newsletter
  • Contact Us
  • Media Solutions & Advertising
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSTERMS OF USEPRIVACY POLICY

© 2023 Emerald X, LLC. All rights reserved.