Apple has fixed two zero-days that have allegedly been abused in the wild affecting its iPhone, iPad, and Mac devices.
In a security advisory published by the company, Apple said the patch fixed CVE-2022-22674, and CVE-2022-22675. The former is an out-of-bounds write vulnerability in the Intel Graphics Driver that allows apps to read kernel memory, while the latter is an out-of-bounds read issue in the AppleAVD media decoder allowing apps to execute arbitrary code with kernel privileges.
Apple says the flaws might have been exploited in the wild, most likely for identity theft and other fraudulent activity, so users are urged to update their operating systems to the newest version as soon as possible: iOS 15.4.1, iPadOS 15.4.1, and macOS Monterey 12.3.1.
Looking for zero-days
All iPhone models from the iPhone 6 upwards are affected, as well as all iPad Pro models, all iPad Airs, from 2 onwards, as well as all iPads, from the 5th generation. iPad mini 4 and newer, and iPod touch 7th generation and newer, are all affected.
Threat actors are always on the lookout for software vulnerabilities, with Apple also recently pushing an OS update for the Apple Watch, iPhone, and iPad to fix an exploit being actively abused in the wild.
The exploit was found by Google's Project Zero team and impacts WebKit – the browser engine that Apple used to build Safari.
In September 2021, the company also had to issue an urgent update to patch a zero-day arbitrary code execution in iOS and macOS devices, tracked as CVE-2021-30869, which was also being abused in the wild.
Although Apple hasn’t shared much details about the vulnerability citing customer’s protection, it did mention that the bug exists in Apple’s open source XNU operating system kernel.
Apple reportedly has had to deal with several zero-days off late, many of whom have been used in attacks against iOS and macOS devices, the most notorious being the ones exploited to install Pegasus spyware on iPhones.
Via: BleepingComputer
