Two zero day vulnerabilities that could give hackers root access to Apple devices have been discovered, and are already being exploited by cybercriminals. Users are being urged to “update immediately” after the company released a pair of patches for iPadOS, iOS and macOS to fix the problem.
The previously unknown vulnerabilities have been actively exploited by hackers to compromise core aspects of Apple devices, the company said, though it did not disclose any details of the identities of the hackers or when the attacks happened. The news comes on the same day Google confirmed a cross-platform zero day vulnerability in Chrome, also impacting Apple devices.
Both of the Apple flaws involve “out-of-bounds” issues, which is where the software writes data past the end or before the start of the intended buffer which can result in the corruption of data, a crash or unintended code execution. That is what happened in the case of these recent exploits that have already been seen “in the wild”.
One of the exploits, CVE-2022-32893, involves an out-of-bounds issue with WebKit, Apple’s web API that could allow for arbitrary code to be executed by processing a specially crafted piece of web content. The other is, arguably, more dangerous as it is an out-of-bounds issue in the operating system kernel across macOS, iPadOS and iOS known as CVE-2022-32893 that could be used by hackers to install malicious applications with the highest level of privileges to that device.
Apple said in a statement that it has addressed both issues by improving bounds checking within WebKit and the operating systems and urged people to update immediately. It has been fixed in iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1. Updates to iOS and iPadOS are available for iPhone 6s and later, all models of the iPad Pro, the iPad Air 2 and later and the 5th generation iPad and later.
Apple zero day flaws in 2022
Apple has now had to issue six zero day patches since January which shows the “persistency of attackers looking for vulnerabilities in popular applications”, according to Jake Moore, global cybersecurity advisor at ESET. “Moreover, finding one in a Mac can be extra lucrative due to many people still wrongly assuming Macs are always protected without bespoke security and antivirus installed.”
Moore criticised a lack of information from Apple on the vulnerabilities, describing it as a “big update” that should be installed immediately. “Issues with the kernel usually mean big potential problems and means people should update straight away,” he says.
“Unfortunately, being able to take over the operating system, hackers would be able to control whatever they desire making this a very serious flaw indeed and would need patching immediately.”
Moore adds that it is “important to update the app on all devices and make sure an up to date endpoint antivirus is installed too to mitigate any other potential Mac exploits”.
Zero day exploits in Chrome and Zoom also cause headaches for Apple
This exploit comes on the same day Google released details of a zero day vulnerability in the Chrome web browser on Windows, Mac and Linux that is already being exploited to give hackers access to system resources or allow for arbitrary code execution.
Known as CVE-2022-2856, it is one of eleven security vulnerabilities patched in the most recent update to the Chrome browser although this is the only one confirmed to have been actively exploited. Other browsers based around Chromium, the engine that powers Chrome including Brave, Edge and Opera are likely to also be affected by the vulnerability.
Apple users were also hit by a vulnerability found in Zoom earlier this week named CVE-2022-28756 that could allow an attacker to gain access and take over a Mac computer via the Zoom package installer.
The exploit came about because of the way the auto-update client in Zoom connects to a daemon (a type of programme running in the background) with higher levels of privileges using a two-step process. It allowed a hacker to trick the update manager into forcing Zoom to downgrade to a more easily exploitable earlier version of Zoom or download a different package. It gave the hacker root access to the victim’s machine as it could bypass security verifications.