On Monday, Apple released a long list of patched vulnerabilities to its software, including a new zero-day flaw affecting Macs and iPhones. The company revealed it's aware that threat actors may have been actively exploiting this vulnerability, which is tracked as CVE-2022-32917.
As it's a zero-day, nothing much is said about CVE-2022-32917, only that it may allow malformed applications to execute potentially malicious code with kernel privileges. Apple says it's patched this flaw with improved bounds checks. Below is a list of products this bug affects:
- Macs running macOS Monterey 12.6 and macOS Big Sur 11.7
- iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
CVE-2022-32917 is the eighth zero-day flaw that Apple has addressed since the beginning of 2022. The first seven are as follows:
- CVE-2022-32894, a flaw in the iOS Kernel, was patched in August
- CVE-2022-32893, a flaw in WebKit, was patched in August
- CVE-2022-22674, an Intel Graphics Driver bug, was patched in March
- CVE-2022-22675, a bug in AppleACD, was patched in March
- CVE-2022-22620, a WebKit bug affecting iPhones, Macs, and iPads, was patched in February
- CVE-2022-22587, a privileged code execution flaw, was patched in January
- CVE-2022-22594, a web browser activity tracking flaw, was patched in January
Since we received a lot of questions about what actions are needed, we're adding this section for your convenience.
The necessary updates for these vulnerabilities were included in:
- the September 12 update for macOS Big Sur 11.7.
- the September 12 update for macOS Monterey 12.6.
- the September 12 update for iOS 15.7 and iPadOS 15.7.
These should all have reached you in your regular update routines, but it doesn't hurt to check if your device is at the latest update level.
As this latest vulnerability is already being exploited, it's really important that you update your devices as soon as you can. Stay safe!