On Thursday, Apple published emergency updates to address two zero-day defects in its mobile and desktop operating systems, which it said had been exploited in the wild.
The issues were fixed in iOS and iPadOS 15.4.1, macOS Monterey 12.3.1, tvOS 15.4.1, and watchOS 8.5.1 upgrades. Both flaws were submitted to Apple anonymously.
The CVE-2022-22675 vulnerability has been described as an out-of-bounds write vulnerability in AppleAVD, an audio and video decoding component, that could allow an application to execute arbitrary code with kernel privileges.
Apple indicated that the fault has been patched with enhanced bounds checking, but that "this issue may have been actively exploited."
In addition to CVE-2022-22675, the latest version of macOS Monterey fixes CVE-2022-22674, an out-of-bounds read problem in the Intel Graphics Driver module that might allow a malicious actor to read kernel memory.
According to the iPhone maker, the flaw has been "fixed with better input validation," and there is evidence of active exploitation, however further specifics are being withheld to avoid future abuse.
Since the beginning of the year, Apple has patched four actively exploited zero-day vulnerabilities, not to mention a publicly revealed hole in the IndexedDB API (CVE-2022-22594), which may be used by a malicious website to track users' online activities and identity in the web browser.
- CVE-2022-22587 (IOMobileFrameBuffer) – A malicious application with kernel privileges may be able to execute arbitrary code.
- CVE-2022-22620 (WebKit) – Maliciously crafted web content may result in arbitrary code execution.
Because the holes are actively being exploited, Apple iPhone, iPad, and Mac users are highly encouraged to upgrade to the most recent versions of the software as quickly as possible to mitigate any hazards.
Updates for iOS and iPad are now available for the iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
Please do not enter any spam link in the comment box.