Apple has rolled out emergency security updates to patch two zero-day vulnerabilities, known to be under exploitation to hack iPhones, iPads and Macs.
The two zero-days are being tracked as CVE-2022-32893 and CVE-2022-32894. The vulnerabilities are known to affect all iPhones, iPads and MacOS.
CVE-2022-32893 is an out-of-bounds vulnerability that might lead to arbitrary code execution by processing maliciously crafted web content. Apple addressed the issue stating, “Apple is aware of a report that this issue may have been actively exploited.”
CVE-2022-32894 is an out-of-bounds write vulnerability that allows applications to execute arbitrary code with kernel privileges. The kernel has the highest privilege level in an Operating System, thus allowing an attacker to execute commands with the highest privileges. Apple addressed the issue stating, “Apple is aware of a report that this issue may have been actively exploited.”
Affected Devices
- Macs running macOS Monterey
- iPhone 6s and later
- iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
- Safari versions prior to 15.6.1 for macOS Big Sur and macOS Catalina.
Mitigation
Apple has released macOS Monterey 12.5.1, iOS 15.6.1 and iPadOS 15.6.1 to patch the two zero-day vulnerabilities. Apple has also released Safari 15.6.1 to patch CVE-2022-32893.
Qualys Detection
Qualys customers can scan their network with QID 376830 and 376842 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.
References and Sources
https://support.apple.com/en-us/HT213413
https://support.apple.com/en-us/HT213414
https://support.apple.com/en-us/HT201222