Apple has released another round of security updates to address multiple vulnerabilities in iOS and macOS, including a new zero-day vulnerability that has been used in real-world attacks.
Incident, assigned identifier CVE-2022-32917is derived from the Kernel component and can allow a malicious application to execute arbitrary code with kernel privileges.
“Apple is aware of a report that this issue may have been actively exploited,” the iPhone maker admitted in a brief statement, adding that it had fixed the bug with tests. binding is improved.
An anonymous researcher has been credited with reporting the omission. It’s worth noting that CVE-2022-32917 is also the second Kernel-related zero-day that Apple has fixed in less than a month.
The patches are available in versions of iOS 15.7, iPadOS 15.7, iOS 16, macOS Big Sur 11.7, and macOS Monterey 12.6. iOS and iPadOS updates include iPhone 6s and later, iPad Pro (all models), iPad Air 2 or later, iPad 5th generation or later, iPad mini 4 or later, and iPod touch (5th generation) 7).
With the latest fixes, Apple has addressed 7 actively exploited zero-day vulnerabilities and one publicly available zero-day since the beginning of the year –
- CVE-2022-22587 (IOMobileFrameBuffer) – A malicious application can execute arbitrary code with kernel privileges
- CVE-2022-22594 (WebKit Host) – A website that can track sensitive user information (public but not actively exploited)
- CVE-2022-22620 (WebKit) – Malicious manual handling of web content that can lead to arbitrary code execution
- CVE-2022-22674 (Intel Graphics Driver) – An application that can read kernel memory
- CVE-2022-22675 (AppleAVD) – An application that can execute arbitrary code with kernel privileges
- CVE-2022-32893 (WebKit) – Malicious manual handling of web content that can lead to arbitrary code execution
- CVE-2022-32894 (Kernel) – An application can execute arbitrary code with kernel privileges
Besides CVE-2022-32917, Apple has plugged 10 security holes in iOS 16, including Contacts, Kernel Maps, MediaLibrary, Safari, and WebKit. The iOS 16 update is also notable for integrating a new Lock Mode designed to make no-click attacks more difficult.
iOS continues to introduce a feature called Quick Security Responses that makes it possible for users to automatically install security fixes on iOS devices without a full operating system update.
“Fast Security Responses deliver critical security enhancements faster, before they become part of other enhancements in a future software update,” Apple said in a support document. The amendments were published on Monday.
Finally, iOS 16 also supports passwords in the Safari web browser, a passwordless sign-in mechanism that allows users to sign in to websites and services by authenticating via Touch ID or Face ID.
