Apple rolls out emergency patch for gaping security hole in Macs, Watches

Macbook computers, note book, pencil, magic mouse, iPhone, dry flowers and cactus vase on wooden table
(Image credit: Krisda / Shutterstock.)

Apple has patched a major zero-day vulnerability being used in the wild against Mac devices and Apple Watches, the company has confirmed.

As reported by BleepingComputer, an unidentified cybersecurity researcher notified Apple of an out-of-bounds write issue in the AppleAVD (audio and video decoding kernel extension), which was abused by threat actors to execute arbitrary code with elevated privileges.

The flaw (tracked as CVE-2022-22675) was fixed in three separate operating systems - macOS Big Sur 11.6, watchOS 8.6, and tvOS 15.5. Besides macOS endpoints running Big Sur, affected devices include Apple TV 4K devices, Apple TV 4K second-gen devices and Apple TV HD devices, as well as Apple Watch Series 3 or newer. 

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Keeping crooks in the dark

Apple is being relatively tight-lipped on the flaw, not releasing any additional details. In all likelihood, this is due to the fact that it can be exploited with relative ease, and therefore Apple wants to give admins a head start for patching, before the majority of threat actors pick up on it. 

Apple has been hard at work, patching this particular flaw for various devices and operating systems.

A month ago, it was reported that the company released fixes for the same issue for practically all iPhone and iPad models.

At the time, users were urged to update their operating systems to the newest version as soon as possible, which was iOS 15.4.1, iPadOS 15.4.1, and macOS Monterey 12.3.1.

And this is hardly the only zero-day the company addressed recently. In March, Apple fixed CVE-2022-22674, while in January, it patched two zero-days - CVE-2022-2587 and CVE-2022-22594.

Via BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.