Apple emergency update fixes zero-days used to hack iPhones, Macs

Apple has released security updates on Thursday to address two zero-day vulnerabilities exploited by attackers to hack iPhones, iPads, and Macs.

Zero-day security bugs are flaws the software vendor is unaware of and hasn't patched. In some cases, they also have publicly available proof-of-concept exploits or may be actively exploited in the wild.

In security advisories published today, Apple said that they're aware of reports the issues "may have been actively exploited."

The two flaws are an out-of-bounds write issue (CVE-2022-22674) in the Intel Graphics Driver that allows apps to read kernel memory and an out-of-bounds read issue (CVE-2022-22675) in the AppleAVD media decoder that will enable apps to execute arbitrary code with kernel privileges.

The bugs were reported by anonymous researchers and fixed by Apple in iOS 15.4.1, iPadOS 15.4.1, and macOS Monterey 12.3.1 with improved input validation and bounds checking, respectively.

The list of impacted devices includes:

• Macs running macOS Monterey
• iPhone 6s and later
• iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

Apple disclosed active exploitation in the wild, however, it did not release any additional info regarding these attacks.

Withholding this information is likely designed to allow the security updates to reach as many iPhones, iPads, and Macs as possible before threat actors pick up on the details and start abusing the now-patched zero-days.

Even though these zero-days were likely only used in targeted attacks, it's still strongly advised to install today's security updates as soon as possible to block potential attack attempts.

Five zero-days patched by Apple this year

In January, Apple patched two more actively exploited zero-days that can enable attackers to achieve arbitrary code execution with kernel privileges (CVE-2022-22587) and track web browsing activity and the users' identities in real-time (CVE-2022-22594).

In February, Apple released security updates to fix a new zero-day bug exploited to hack iPhones, iPads, and Macs, leading to OS crashes and remote code execution on compromised devices after processing maliciously crafted web content.

These first three zero-days also impacted iPhones (iPhone 6s and up), Macs running macOS Monterey, and multiple iPad models.

The company also had to deal with an almost unending stream of zero-days exploited in the wild to target iOS, iPadOS, and macOS devices throughout 2021.

That list includes multiple flaws used to deploy NSO's Pegasus spyware on iPhones belonging to journalists, activists, and politicians.