Apple has released another round of security updates to address multiple vulnerabilities in iOS and macOS, including a new zero-day vulnerability that has been used in attacks in the wild.
Problem, specified identifier CVE-2022-32917is derived from the Kernel component and can allow a malicious application to execute arbitrary code with kernel privileges.
“Apple is aware of a report that this issue may have been actively exploited,” the iPhone maker admitted in a brief statement, adding that it had addressed the bug with tests. binding is improved.
An anonymous researcher was credited with reporting the omission. It’s worth noting that CVE-2022-32917 is also the second Kernel-related zero-day that Apple has fixed in less than a month.
The patches are available in versions of iOS 15.7, iPadOS 15.7, iOS 16, macOS Big Sur 11.7, and macOS Monterey 12.6. iOS and iPadOS updates include iPhone 6s and later, iPad Pro (all models), iPad Air 2 or later, iPad 5th generation or later, iPad mini 4 or later, and iPod touch (5th generation) 7).
With the latest fixes, Apple has addressed seven actively exploited zero-day vulnerabilities and one publicly known zero-day since the beginning of the year –
- CVE-2022-22587 (IOMobileFrameBuffer) – A malicious application can execute arbitrary code with kernel privileges
- CVE-2022-22594 (WebKit Storage) – A website that can track sensitive user information (publicly known but not actively exploited)
- CVE-2022-22620 (WebKit) – Processing of manually generated web content may result in arbitrary code execution
- CVE-2022-22674 (Intel Graphics Driver) – An application can read kernel memory
- CVE-2022-22675 (AppleAVD) – An application that can execute arbitrary code with kernel privileges
- CVE-2022-32893 (WebKit) – Processing of manually generated web content may result in arbitrary code execution
- CVE-2022-32894 (kernel) – An application can execute arbitrary code with kernel privileges
Besides CVE-2022-32917, Apple plugged 10 security holes in iOS 16, including Contacts, Kernel Map, MediaLibrary, Safari, and WebKit. The iOS 16 update is also notable for incorporating a new Lock Mode designed to make zero-click attacks harder.
iOS introduces an additional feature called Rapid Security Response that makes it possible for users to automatically install security fixes on iOS devices without a full operating system update.
“Fast Security Responses deliver critical security enhancements faster, before they become part of other enhancements in a future software update,” Apple said in a support document. The amendment was announced on Monday.
Finally, iOS 16 also supports passwords in the Safari web browser, a passwordless sign-in mechanism that allows users to sign in to websites and services by authenticating through Touch ID or Face ID.