Apple has released new security updates to backport patches released earlier this week to older iPhones and iPads, addressing an actively exploited zero-day bug. The vulnerability (CVE-2022-42827) is the one Apple patched for iPhone and iPad devices this Monday, October 24. Potential attackers can use it to execute arbitrary code with kernel privileges if successfully exploited in attacks.
The out-of-bounds write issue was reported to Apple by an anonymous researcher. It is caused by the software being able to write data outside the boundaries of the memory buffer. This can result in data corruption, application crashes, and code execution due to undefined or unexpected results (also known as memory corruption) from subsequent data written to the buffer. With improved bounds checking, Apple addressed the zero-day vulnerability in iOS 15.7.1 and iPadOS 15.7.1 today.
Analyst Notes
Even though this zero-day was most likely only used in targeted attacks, it’s strongly suggested to patch even older devices as soon as possible to block potential attack attempts. The impacted devices include iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). Apple disclosed the security flaw “may have been actively exploited” in the wild but is yet to release info regarding these attacks. CISA also added this zero-day to its catalog of known exploited vulnerabilities on October 25, which requires Federal Civilian Executive Branch (FCEB) agencies to patch it to protect “against active threats.”
https://www.bleepingcomputer.com/news/security/apple-fixes-recently-disclosed-zero-day-on-older-iphones-ipads/
