Today, Apple updated the official version of iOS/iPadOS 15.6.1 and macOS Monterey 12.5.1. According to the released update content, these new versions do not bring functional upgrades but mainly fix two 0-day security bugs which affect kernel and WebKit.
An out-of-bounds write issue (CVE-2022-32893) in WebKit allows hackers to execute arbitrary code and this vulnerability is being exploited. Hackers can exploit this flaw by tricking users to visit maliciously crafted web content.
Also, there is an out-of-bounds write issue (CVE-2022-32894) in the operating system’s Kernel that allows an application may be able to execute arbitrary code with kernel privileges. Applications such as malware can exploit this vulnerability to execute code with kernel privileges, which can execute arbitrary code and take full control due to the highest privileges.
The anonymous researcher reported two flaws. “Apple is aware of a report that this issue may have been actively exploited,” the company said.
At present, it is only known that CVE-2022-32893 & CVE-2022-32894 are out-of-bounds writes flaws. Based on security considerations, Apple will only disclose the full details of the vulnerability after most users update.
The affected devices include:
- Macs running macOS Monterey
- iPhone 6s and later
- iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
Apple also said it recommends that Apple users who have not yet upgraded and are affected by the vulnerability should complete the upgrade as soon as possible.
Users are also advised to enable automatic software updates by going to Settings > General > Software Updates > Enable Automatic Updates.
