Apple admitted there are serious security vulnerabilities in iPhones, iPads and Macs that are being actively exploited.
The announcement last week said the company was aware that users of iPhone 6S and later, iPad 5th generation and later, all iPad Pro models, iPad Air 2, and Macs running Mac OS Monterey were affected. The vulnerability could provide full admin access to the device, with obvious ramifications for users. The flaws are being tracked in CVE-2022-32894 and CVE-2022-32893.
Fortunately, Apple has released system updates, iPad and iOS 15.6.1, and macOS 12.5.1 that address the vulnerabilities. Anyone with an affected device should update it right away. These updates patch the vulnerability and will prevent this particular attack.
There are two flaws. The first, a kernel security issue that could allow a bad actor to execute arbitrary code with kernel privileges. There have no more details revealed by the company for obvious reasons.
The second vulnerability is apparently down to WebKit. The WebKit engine is used by the Safari browser and many web apps. The exact nature of the vulnerability hasn’t been disclosed either but is known to relate to JavaScript. More specifically, JSMap, JSSset, and something called an ‘out-of-bounds write issue.’
Whatever the exact vulnerability was, it meant a bad actor could use infected web content to inject malware onto a device. These were both regarded as zero-day vulnerabilities and were flagged by security researchers working their magic.
Credit to Apple for responding quickly and releasing an update. It’s just a shame this kind of serious vulnerability made it to production in the first place.
If you use iPhone 6S and later, iPad 5th generation and later, iPad Pro, iPad Air 2, or a Mac running Mac OS Monterey, update right away.