Apple has released emergency security updates to fix two zero-day vulnerabilities previously exploited by attackers to hack iPhones, iPads, or Macs.
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs you need to know:
Kernel privileges
CVE-2022-32894: An out-of-bounds write issue was addressed with improved bounds checking. The vulnerability could allow an application to execute arbitrary code with kernel privileges. The kernel privileges are the highest possible privileges, so an attacker could take complete control of a vulnerable system by exploiting this vulnerability.
Apple points out that they are aware of a report that this issue may have been actively exploited.
WebKit
CVE-2022-32893: An out-of-bounds write issue was addressed with improved bounds checking. Processing maliciously crafted web content may lead to arbitrary code execution. An attacker could lure a potential victim to a specially crafted website or use malvertising to compromise a vulnerable system by exploiting this vulnerability. Since the vulnerability exists in Apple’s HTML rendering software (WebKit). WebKit powers all iOS web browsers and Safari, so possible targets are iPhones, iPads, and Macs which could all be tricked into running unauthorized code.
Apple points out that they are aware of a report that this issue may have been actively exploited.
More details
Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. And even then, it depends on the anonymous researcher(s) that reported the vulnerabilities whether we will ever learn the technical details. Or when someone is able to reverse engineer the update that fixes the vulnerability.
That being said, it seems likely that these vulnerabilities were found in an active attack that chained the two vulnerabilities together. The attack could, for example, be done in the form of a watering hole or as part of an exploit kit. CVE-2022-32893 could be exploited for initial code to be run. This code could be used to leverage CVE-2022-32894 to obtain kernel privileges
Mitigation
Users are under advice to implement the updates as soon as possible, by upgrading to:
- iOS 15.6.1
- iPadOS 15.6.
- macOS Monterey 12.5.1
Details can be found on the security content for macOS page. And instructions to apply updates are available on the Apple Security Updates page.
Update August 19, 2022
The fix for CVE-2022-32893 is now also available for Safari in macOS Big Sur and macOS Catalina.
CISA has added both CVE’s to the list of known to be exploited vulnerabilities with a due date for patching of September 8, 2022.
Stay safe, everyone!