Security

Apple emits macOS, iOS, iPadOS patches for 'exploited' security bugs

Nothing like a little kernel-level memory snooping, code execution


Apple has released updates for its mobile and desktop operating systems to patch security holes that may well have been exploited in the wild.

On Thursday, the iPhone giant issued macOS Monterey 12.3.1; iOS 15.4.1 and iPadOS 15.4.1; tvOS 15.4.1; and watchOS 8.5.1 to address vulnerabilities in its software.

The Monterey release closes CVE-2022-22675, an out-of-bounds write flaw reported by an anonymous researcher, in the driver-level AppleAVD audio-video decoder. This can be abused by an application to run code at the kernel level, meaning a rogue app or user can gain powerful privileges and completely take over the machine.

Apple said it "is aware of a report that this issue may have been actively exploited." The bug was fixed by applying improved memory bounds checking.

Rust in peace: Memory bugs in C and C++ code cause security issues so Microsoft is considering alternatives once again

READ MORE

The Monterey update also patches CVE-2022-22674, an out-of-bounds read flaw again reported by an unnamed researcher, in the OS's Intel graphics driver. This can be exploited by a rogue app or user to access kernel memory that should be out of reach, and thus steal any secrets hidden in there, such as keys and credentials.

Again, Apple said it is aware of a report that this flaw has been actively exploited. This bug was squashed by performing better user input validation.

The iOS and iPadOS releases address the same AppleAVD flaw, meaning malicious phone and tablet apps can exploit the bug to hijack devices. There were, curiously, no advisories for the tvOS and watchOS security releases because each "update has no published CVE entries," according to Apple.

Users should apply these updates as soon as they can, if they've not already been automatically installed. The macOS vulnerabilities are present in at least Macs running Monterey. The iOS update is available for the iPhone 6s and later, all models of the iPad Pro, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

We note that Apple, so far this year, has fixed a bunch of exploited-in-the-wild bugs in its products, in January and February. ®

Send us news
4 Comments

If Apple's environmental rhetoric is meaningful, Macs and iPads should converge

An Apple a day keeps the doctor away, but too many might be a burden on the planet.

Apple sued for collecting user data despite opt-outs

Doesn't matter what the data is, they thought they pushed the off switch, argues complaint

Only iPhone 15 Pro models will have higher data transfer speeds on USB-C – analyst

Ming-Chi Kuo is prognosticating again

UK competition watchdog investigates Apple and Google 'stranglehold' over the mobile market

Apple doesn't want to bite

Apple to end policy that charged South Korean devs higher App Store commissions

Korea's antitrust org to develop a platform to respond to Big Tech’s sneaky ways

VMware refreshes desktop hypervisors, adds Apple Silicon support

Partial VM encryption enables the virtual TPMs Windows 11 guests can't live without

Apple and Amazon conspired to raise iPhone and iPad prices, claims class action lawsuit

Alleges agreement choked resellers using Amazon Marketplace, eliminated 98% of competition

Foxconn workers protest over pay and lockdowns at iPhone factory in China

Contractor apologizes for 'technical error occurred during the onboarding process'

Evernote's fall from grace is complete, with sale to Italian app maker

Frustrate enough users and your product will stumble. Hint, hint, Elon

Google’s resistance to third party Play store payments eases further with US tests

Tune in to hear how it works on Spotify, or hook up with choice on Bumble

Apple warns of slow iPhone 14 Pro shipments as COVID hurts production in China

Buyers told of longer wait times for shiny new phones that don't do a lot more than last year’s model

Microsoft hits the switch on password-free smartphone authentication

No more MF phish on this MFA cellphone as Azure AD CBA + YubiKey hits preview