On Wednesday, Apple released security updates for iOS, iPadOS and macOS platforms to remediate two zero-day vulnerabilities previously exploited by threat actors to compromise devices.
- CVE-2022-32893 – An out-of-bounds issue in WebKit which potentially lead to the execution of arbitrary code by processing a specially crafted web content
- CVE-2022-32894 – An out-of-bounds issue in the operating system’s Kernel that could be abused by a malicious application to execute arbitrary code with the highest privileges
Apple have said that they have addressed both the issues with improved bounds checking, adding it’s aware that the vulnerabilities “may have been actively exploited” already.
No information was disclosed regarding these attacks.
The latest update brings the total number of zero-days patched by Apple to six since the start of the year:
- CVE-2022-22587 (IOMobileFrameBuffer)
- CVE-2022-22620 (WebKit)
- CVE-2022-22674 (Intel Graphics Driver)
- CVE-2022-22675 (AppleAVD)
Both the vulnerbailities have been fixed in iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1. The iOS and iPadOS updates are available for iPhone 6s and later, iPad Pro, iPad Air 2 and later, iPad 5th gen and later, iPad mini 4 and later, and iPod touch (7th generation).