Apple has released security updates to address the eighth zero-day vulnerability used in attacks against iPhones and Macs since the start of the year. The bug (tracked as CVE-2022-32917) may allow maliciously crafted applications to execute arbitrary code with kernel privileges. Reported to Apple by an anonymous researcher, it was addressed in iOS 15.7 and iPadOS 15.7, macOS Monterey 12.6, and macOS Big Sur 11.7 with improved bounds checks.
The complete list of impacted devices includes:
- iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation
- and Macs running macOS Big Sur 11.7 and macOS Monterey 12.6
Apple also backported patches for another zero-day (CVE-2022-32894) to Macs running macOS Big Sur 11.7 after releasing additional security updates on August 31 to address the same bug on iOS versions running on older iPhones and iPads. Although Apple disclosed active exploitation of this vulnerability in the wild, the company is yet to release any information regarding these attacks. By refusing to release this info, Apple likely wants to allow as many customers as possible to patch their devices before other attackers develop their own exploits and start deploying them in attacks targeting vulnerable iPhones and Macs.
While this zero-day was most likely only used in highly-targeted attacks, installing these security updates as soon as possible is still strongly advised to block attack attempts. This is the eighth zero-day fixed by Apple since the start of the year:
• In August, it patched two zero-day vulnerabilities in the iOS Kernel (CVE-2022-32894) and WebKit (CVE-2022-32893)
• In March, Apple patched two zero-day bugs in the Intel Graphics Driver (CVE-2022-22674) and AppleAVD (CVE-2022-22675).
• In February, Apple released security updates to fix another WebKit zero-day bug exploited in attacks against iPhones, iPads, and Macs.
• In January, Apple patched two other exploited zero-days that enabled code execution with kernel privileges (CVE-2022-22587) and web browsing activity tracking (CVE-2022-22594).