View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 18, 2022

Apple patches zero day vulnerabilities being exploited by hackers

The flaws are already being exploited by cyber criminals, the company says. Users must act to avoid problems.

By Ryan Morrison

Two zero day vulnerabilities that could give hackers root access to Apple devices have been discovered, and are already being exploited by cybercriminals. Users are being urged to “update immediately” after the company released a pair of patches for iPadOS, iOS and macOS to fix the problem.

Apple zero day
The two zero day flaws impact a wide range of Apple products (pic: Shahid Jamil/iStock)

The previously unknown vulnerabilities have been actively exploited by hackers to compromise core aspects of Apple devices, the company said, though it did not disclose any details of the identities of the hackers or when the attacks happened. The news comes on the same day Google confirmed a cross-platform zero day vulnerability in Chrome, also impacting Apple devices.

Both of the Apple flaws involve “out-of-bounds” issues, which is where the software writes data past the end or before the start of the intended buffer which can result in the corruption of data, a crash or unintended code execution. That is what happened in the case of these recent exploits that have already been seen “in the wild”.

One of the exploits, CVE-2022-32893, involves an out-of-bounds issue with WebKit, Apple’s web API that could allow for arbitrary code to be executed by processing a specially crafted piece of web content. The other is, arguably, more dangerous as it is an out-of-bounds issue in the operating system kernel across macOS, iPadOS and iOS known as CVE-2022-32893 that could be used by hackers to install malicious applications with the highest level of privileges to that device.

Apple said in a statement that it has addressed both issues by improving bounds checking within WebKit and the operating systems and urged people to update immediately. It has been fixed in iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1. Updates to iOS and iPadOS are available for iPhone 6s and later, all models of the iPad Pro, the iPad Air 2 and later and the 5th generation iPad and later.

Apple zero day flaws in 2022

Apple has now had to issue six zero day patches since January which shows the “persistency of attackers looking for vulnerabilities in popular applications”, according to Jake Moore, global cybersecurity advisor at ESET. “Moreover, finding one in a Mac can be extra lucrative due to many people still wrongly assuming Macs are always protected without bespoke security and antivirus installed.”

Moore criticised a lack of information from Apple on the vulnerabilities, describing it as a “big update” that should be installed immediately. “Issues with the kernel usually mean big potential problems and means people should update straight away,” he says.

“Unfortunately, being able to take over the operating system, hackers would be able to control whatever they desire making this a very serious flaw indeed and would need patching immediately.”

Content from our partners
The growing cybersecurity threats facing retailers
How to integrate security into IT operations
How Kodak evolved to tackle seismic changes in the print industry and embrace digital revolution

Moore adds that it is “important to update the app on all devices and make sure an up to date endpoint antivirus is installed too to mitigate any other potential Mac exploits”.

Zero day exploits in Chrome and Zoom also cause headaches for Apple

This exploit comes on the same day Google released details of a zero day vulnerability in the Chrome web browser on Windows, Mac and Linux that is already being exploited to give hackers access to system resources or allow for arbitrary code execution.

Known as CVE-2022-2856, it is one of eleven security vulnerabilities patched in the most recent update to the Chrome browser although this is the only one confirmed to have been actively exploited. Other browsers based around Chromium, the engine that powers Chrome including Brave, Edge and Opera are likely to also be affected by the vulnerability.

Apple users were also hit by a vulnerability found in Zoom earlier this week named CVE-2022-28756 that could allow an attacker to gain access and take over a Mac computer via the Zoom package installer.

The exploit came about because of the way the auto-update client in Zoom connects to a daemon (a type of programme running in the background) with higher levels of privileges using a two-step process. It allowed a hacker to trick the update manager into forcing Zoom to downgrade to a more easily exploitable earlier version of Zoom or download a different package. It gave the hacker root access to the victim’s machine as it could bypass security verifications.

Read more: Ransomware groups are getting smaller and smarter

Topics in this article: ,
Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED
THANK YOU