Apple patches iPhone and macOS flaws under active attack
High-value targets tend to get hit
Apple has pushed out five security fixes including two vulnerabilities in its iPhones, iPads and Mac operating systems that are already being exploited.
One of these, tracked as CVE-2022-32917, can be used to allow malicious applications to execute arbitrary code with kernel privileges. "Apple is aware of a report that this issue may have been actively exploited," according to a security alert posted on Monday.
The vendor said it fixed the flaw with improved bounds checks and has released patches for iPhone 6 and later, iPad Pro (all models), iPad Air 2 and later, and iPad 5, iPad mini 4, and iPod touch (7th generation) models and all newer kit.
It also patched buggy macOS Monterey 12.6 and macOS Big Sur 11.7 versions that could be exploited with the same CVE, so we advise all Mac users to spend their Monday evening patching.
Maybe while watching Apple TV, which also requires some updates to fix security flaws in tvOS 16 — but the vendor hasn't released details for that one yet. So it's your call whether Ted Lasso is worth the risk.
- Apple debuts iPhone 14, Watch 8, other sparkly things
- Google, Apple squash exploitable browser bugs
- Apple warned by US lawmakers over using Chinese YMTC chips in new iPhone
- Apple co-founder Steve Jobs memorialized with online archive of emails, guff
Meanwhile, Apple also released patches for another bug (CVE-2022-32894) that Apple acknowledged "may have been actively exploited," in computers running macOS Big Sur 11.7.
This comes less than a month after the company pushed a security update for this same vulnerability in older iPhones and iPads running iOS. It's likely that miscreants also exploited this bug, Apple said at the time.
CVE-2022-32894, which also allows applications to execute arbitrary code with kernel privileges, is caused by an out-of-bounds write flaw. The vendor said it fixed the bug with improved bounds checking.
Apple didn't disclose any additional details about these two vulnerabilities or how they are being exploited by cybercriminals. Both were reported by anonymous bug hunters.
In total, the vendor released five security updates on Monday that include 16 CVEs across its Safari 16 web browser running macOS Big Sur and macOS Monterey, iOS 16 in iPhone 8 and later, macOS Monterey 12.6, macOS Big Sur 11.7 and iOS 15.7 and iPadOS 15.7 across most models of its iPhone and iPad products as well as seventh-generation iPad touch devices.
It also promised to make "details available soon" for bugs in tvOS 16 and watchOS 9, so keep hitting refresh on the security update page.
The fixes come just days after Apple's latest product premier, dubbed "Far Out," showcased the company's iPhone 14, Apple Watch 8, and second generation AirPods Pro earbuds. ®