Apple has released security updates to patch two zero-day vulnerabilities (CVE-2022-22674 and CVE-2022-22675) exploited by attackers to hack iPhones, iPads, and Macs. Apple revealed active exploitation in the wild but did not provide any other information about the attacks.
Withholding this information should allow security patches to reach as many iPhones, iPads, and Macs as possible before threat actors catch up on the specifics and begin exploiting the now-patched zero-day vulnerabilities.
The first vulnerability, CVE-2022-22675, affects Monterey on macOS and most iPhone and iPad devices running iOS or iPadOS. The flaw occurs due to an out-of-bounds write issue and allows attackers to run malicious code with kernel privileges, the most security-sensitive part of the operating system.
The second vulnerability, CVE-2022-22674 is caused by an out-of-bounds read vulnerability that can expose kernel memory.
With this vulnerability, the total number of actively exploited zero-days patched by Apple this year increases to four. The previous two vulnerabilities were:
- CVE-2022-22587 (IOMobileFrameBuffer) – A malicious application may be able to execute arbitrary code with kernel privileges
- CVE-2022-22620 (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution
Affected versions
Versions prior to
- iOS and iPadOS 15.4.1
- macOS Monterey 12.3.1
Mitigation
Customers can upgrade to the latest versions of:
Customers can upgrade to the latest versions of:
- iOS and iPadOS 15.4.1
- macOS Monterey 12.3.1
For more information, please visit the security advisories:
All the updated versions can be downloaded from Apple Downloads.
Qualys Detection
Qualys customers can scan their devices with QID 376509 & 610405 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.
References
https://support.apple.com/en-us/HT213219
https://support.apple.com/en-us/HT213220
https://thehackernews.com/2022/03/apple-issues-patches-for-2-actively.html
https://www.bleepingcomputer.com/news/security/apple-emergency-update-fixes-zero-days-used-to-hack-iphones-macs/
https://arstechnica.com/information-technology/2022/03/apple-rushes-out-patches-for-two-zero-days-threatening-ios-and-macos-users/