Anonymous researchers have reported two errors in Apple’s operating systems that could be exploited for highly targeted and high-profile sophisticated attacks. The danger is malware infection with high administrative privileges in our iPhones. But the patch is already there
Apple released a security update on Thursday, with emergency patches (for macOS Monterey 12.5.1, iOS 15.6.1 and iPadOS 15.6.1), as a mitigation action against two major vulnerabilities, heavily exploited by cyber-criminals in its systems. peak operations.
This clearly has far-reaching implications. Apple products have become a mainstay of everyday life, facial recognition, banking apps, health data, and pretty much everything we care about resides in our Apple products. And now it’s at high risk of attack if we don’t install the available updates right away.
Apple iPhone, the two bugs
As reported, the two patches affect the Phone 6s and later, all models of iPad Pro, iPad Air 2 and later, iPad V generation and later, iPad mini 4 and later, and iPod touch 7
The first bug is tracked as CVE-2022-32894. This is an out-of-bounds write vulnerability in the operating system kernel. This problem, not easily exploitable (it is in fact well-targeted attacks and of a sophisticated level in order to be able to successfully exploit it) has been solved, according to Apple itself, by improving the control of limits.
An application, such as malware, could exploit this vulnerability by remote code execution (RCE) with kernel privileges.
Since this is the highest level of privilege, a process can execute any command on a device, effectively taking full control of it.
The second zero-day bug found, called CVE-2022-32893, is an overflow vulnerability in WebKit, the web browser engine used by Safari and other web applications.
Apple claims that this latest vulnerability would allow an attacker to execute arbitrary code and could be deployed remotely during a visit to a maliciously crafted website.
Need to update right away
The errors were reported by anonymous researchers. As per well-established company policy by now, Apple has not released any details on real-time operations or any indicators of compromise useful for sniffing out the details.
It is likely that these zero-days have been used in targeted attacks and given the vulnerability application that is backdated up to iPhone 6S (we are talking about 2015!) It is possible that they have been known for some time, but it is still recommended to install the latest updates security as soon as possible, as the only truly effective mitigation action.
Unfortunately, we live in a world where software developers continually have to make fixes. Likewise, users also need to apply those patches, often (as now) with some urgency to overcome vulnerabilities.
Catch up on more articles here
Follow us on Twitter here