On Wednesday, Apple released iOS 15.3 and macOS Monterey 12.2 with fixes that defeat privacy in Safari, as well as prevent a zero-day vulnerability, which it says has been exploited to penetrate devices. their equipment.
Follow is CVE-2022-22587The vulnerability is related to memory corruption in the IOMobileFrameBuffer component that could be abused by a malicious application to execute arbitrary code with kernel privileges.
The iPhone maker said it was “aware of a report that this issue may have been actively exploited,” adding that it has addressed the issue with improved input validation. It does not reveal the nature of the attacks, how widespread they are, or the identities of the threat actors exploiting them.
An anonymous researcher along with Meysam Firouzi and Siddharth Aeri has been credited with discovering and reporting the vulnerability.
CVE-2022-22587 is the third zero-day vulnerability discovered in IOMobileFrameBuffer in about six months after CVE-2021-30807 and CVE-2021-30883. In December 2021, Apple addressed four additional weaknesses in the kernel extension used to manage the screen framebuffer.
Also fixed by the tech giant is a recently disclosed vulnerability in Safari that results from a buggy implementation of the IndexedDB API (CVE-2022-22594), which could be abused by a malicious website to track track users’ online activities in web browsers and even reveal their identities.
Other flaws to watch out for include –
- CVE-2022-22584 – Memory corruption issue in ColorSync that can lead to arbitrary code execution when dealing with a maliciously crafted file
- CVE-2022-22578 – A logic problem in Crash Reporter could allow a malicious app to gain root privileges
- CVE-2022-22585 – iCloud path authentication problem can be exploited by rogue apps to access user’s files
- CVE-2022-22591 – Memory corruption issue in Intel Graphics Driver that can be abused by malicious application to execute arbitrary code with kernel privileges
- CVE-2022-22593 – Buffer overflows in the Kernel can be abused by a malicious application to execute arbitrary code with kernel privileges.
- CVE-2022-22590 – Free after-use issues in WebKit can lead to arbitrary code execution when dealing with maliciously crafted web content
Updates are available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation or later, iPad mini 4 or later, iPod touch (7th generation) and macOS devices running Big Sur, Catalina , and Monterey.