Apple has released security updates to address the eighth zero-day vulnerability used in attacks against iPhones and Macs since the start of the year. The bug (tracked as CVE-2022-32917) may allow maliciously crafted applications to execute arbitrary code with kernel privileges. Reported to Apple by an anonymous researcher, it was addressed in iOS 15.7 and iPadOS 15.7, macOS Monterey 12.6, and macOS Big Sur 11.7 with improved bounds checks.
The complete list of impacted devices includes:
- iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation
- and Macs running macOS Big Sur 11.7 and macOS Monterey 12.6
Apple also backported patches for another zero-day (CVE-2022-32894) to Macs running macOS Big Sur 11.7 after releasing additional security updates on August 31 to address the same bug on iOS versions running on older iPhones and iPads. Although Apple disclosed active exploitation of this vulnerability in the wild, the company is yet to release any information regarding these attacks. By refusing to release this info, Apple likely wants to allow as many customers as possible to patch their devices before other attackers develop their own exploits and start deploying them in attacks targeting vulnerable iPhones and Macs.