Apple has released emergency security updates to address two zero-day vulnerabilities used to hack into iPhones, iPads, and Macs. According to Apple, there has been active exploitation of these vulnerabilities in the wild.
The first vulnerability, tracked as CVE-2022-32894, is an out-of-bounds write vulnerability that exists in the kernel of macOS. Since the kernel runs with the highest privileges on an operating system, threat actors that exploit this vulnerability would be able to execute code on the system at this level, effectively taking complete control over it. The second vulnerability, tracked as CVE-2022-32893, is also an out-of-bounds write vulnerability, but in the WebKit application. WebKit is the web browser engine used by Safari and other applications that can access the web. This vulnerability would allow threat actors to execute code on the device and can likely be exploited remotely by visiting a maliciously crafted website.
The following devices are affected by these vulnerabilities:
- Macs running macOS Monterey
- iPhones 6s and later
- iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Apple has released fixes for macOS Monterey in version 12.5.1 and iOS and iPadOS in version 15.6.1.