Apple credits an anonymous researcher who discovered both vulnerabilities. The first vulnerability, CVE-2022-22675, is found on macOS for Monterey and iOS or iPadOS for most iPhone and iPad models. The flaw, which comes from an out-of-bounds write problem, allows hackers to execute malicious code that runs at the core privileges of the operating system’s most security-sensitive area. CVE-2022-22674, meanwhile, also arises from an out-of-bounds reading issue that could lead to the discovery of kernel memory. Apple has revealed clear details about the flaws here and here. “Apple is aware of a report that this issue may have been actively exploited,” the company wrote of both vulnerabilities. Advertising
It’s raining Apple zero-days
CVE-2022-22674 and CVE-2022-22675 are the fourth and fifth zero days that Apple is repairing this year. In January, the company hastily released patches for iOS, iPadOS, macOS Monterey, watchOS, tvOS and HomePod Software to fix a zero-day memory corruption defect that could allow users to execute code with kernel privileges. The error, tracked as CVE-2022-22587, was in the IOMobileFrameBuffer. A particular vulnerability, CVE-2022-22594, has allowed websites to track sensitive user information. The exploit code for this vulnerability was made public before the patch was released. Apple released a free bug fix in February on its Webkit browser that allowed intruders to execute malicious code on iPhone, iPad and iTouches. Apple said reports it received indicate that the vulnerability — CVE-2022-22620 — could also have been actively exploited. A spreadsheet kept by Google security researchers to track zero days shows that Apple fixed a total of 12 such vulnerabilities in 2021. Among them was an iMessage flaw that targeted the Pegasus spyware framework using a zero-click exploit, meaning that the devices were infected simply by receiving a malicious message, requiring no user action. Two zero-day fixes by Apple in May allowed attackers to infect fully up-to-date devices.
