Apple has released another round of security updates to address multiple vulnerabilities in iOS and macOS, including a new zero-day flaw that has been used in attacks in the wild.
The problem, to which the identifier is assigned CVE-2022-32917is rooted in the Kernel component and could allow a malicious application to execute arbitrary code with kernel privileges.
“Apple is aware of a report that this issue may have been actively exploited,” the iPhone maker acknowledged in a brief statement, adding that it has addressed the bug with improved related checks.
– Advertising –
An anonymous researcher has been credited with pointing out the shortcoming. It should be noted that CVE-2022-32917 is also the second kernel-related zero-day flaw that Apple has patched in less than a month.
The patches are available in iOS 15.7, iPadOS 15.7, iOS16, macOS Big Sur 11.7, and macOS Monterey 12.6 versions. iOS and iPadOS updates cover iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later and iPod touch (7th generation).
With the latest patches, Apple has patched seven actively exploited zero-day flaws and one publicly known zero-day vulnerability since the start of the year –
- CVE-2022-22587 (IOMobileFrameBuffer) – A malicious application may be able to execute arbitrary code with kernel privileges
- CVE-2022-22594 (WebKit Storage) – A website may be able to track sensitive user information (publicly known but not actively exploited)
- CVE-2022-22620 (WebKit) – Processing maliciously crafted web content may lead to execution of arbitrary code
- CVE-2022-22674 (Intel Graphics Driver) – An application may be able to read kernel memory
- CVE-2022-22675 (AppleAVD) – An application may be able to execute arbitrary code with kernel privileges
- CVE-2022-32893 (WebKit) – Processing maliciously crafted web content may lead to execution of arbitrary code
- CVE-2022-32894 (Kernel) – An application may be able to execute arbitrary code with kernel privileges
Besides CVE-2022-32917, Apple fixed 10 security flaws in iOS 16, covering Contacts, Kernel Maps, MediaLibrary, Safari and WebKit. The iOS 16 update is also notable for incorporating a new lock mode designed to make it more difficult for no-click attacks.
iOS further introduces a feature called Rapid Security Response which allows users to automatically install security patches on iOS devices without a full operating system update.
“Rapid Security Responses deliver important security improvements faster, before they become part of other improvements in a future software update,” Apple said in a statement. revised supporting document released on Monday.
Finally, iOS 16 also supports Passkeys in the Safari web browser, a passwordless login mechanism that allows users to log in to websites and services by authenticating via Touch ID or Face ID.