Tue | Oct 25, 2022 | 4:14 PM PDT

Apple recently released a security update to fix the ninth Zero-Day vulnerability that has been used in cyberattacks targeting iPhones and iPads since the beginning of the year.

An anonymous security researcher submitted the vulnerability to Apple, which is now tracked as CVE-2022-42827 and described as an out-of-bounds write issue in the Kernel. Apple also shared in an advisory that the vulnerability might have been "actively exploited."

Exploitation of an out-of-bounds write, which occurs when the software writes data past the end or before the beginning of the intended buffer, can result in corruption of data, a crash, or code execution. 

As is usually the case with actively exploited Zero-Day flaws, Apple refrained from sharing more specifics about the shortcoming other than acknowledging that it's "aware of a report that this issue may have been actively exploited."

By not releasing any additional information about the vulnerability, Apple is allowing users to patch their devices before threat actors develop additional exploits.

The security update is available for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.

Mike Parkin, Senior Technical Engineer at Vulcan Cyber, discussed the Apple patch with SecureWorld News:

"Apple's fixed a number of potentially troublesome vulnerabilities with this update. Anything that could potentially allow remote code execution with kernel privileges is problematic, and several of the identified vulnerabilities had that potential," Parkin said. "With people relying so heavily on their mobile devices for their work and personal lives, and with how much crossover there can be, it's good that Apple addressed these faults."

Michael Covington, VP of Portfolio Strategy at Jamf, said he believes that organizations should use this security update from Apple as an opportunity to stay up to date on all patches, no matter how big or small:

"The latest security fixes from Apple are a good reminder that even the most recent software releases can contain bugs; it is critical for organizations to maintain an active patch management and update process for both operating systems and applications.

Details on the vulnerabilities are still emerging, but we know that eight of the issues fixed were being actively exploited, including one that allowed rogue applications to write data to a location it should not have been allowed to access, resulting in data corruption data or unauthorized code execution. We are urging all of our customers to update their devices and reduce their organizations exposure to attack."

Zero-Day vulnerabilities patched by Apple this year

With this recent security update, Apple has fixed nine Zero-Day bugs in 2022, which include:

  • CVE-2022-22587A malicious application may be able to execute arbitrary code with kernel privileges.
  • CVE-2022-22594A website may be able to track sensitive user information.

  • CVE-2022-22620: Processing maliciously crafted web content may lead to arbitrary code execution.

  • CVE-2022-22674: A local user may be able to read kernel memory.

  • CVE-2022-22675: An application may be able to execute arbitrary code with kernel privileges.

  • CVE-2022-32893: Processing maliciously crafted web content may lead to arbitrary code execution.

  • CVE-2022-32894: An application may be able to execute arbitrary code with kernel privileges.

  • CVE-2022-32917: An application may be able to execute arbitrary code with kernel privileges

Follow SecureWorld News for more stories related to cybersecurity.

Comments