Apple has released another round of security updates to address numerous vulnerabilities in iOS and macOS, including a new zero-day flaw that has been used in wild attacks.
The issue has been assigned an identifier CVE-2022-32917is rooted in the Kernel component and can enable a malicious application to execute arbitrary code with kernel privileges.
“Apple is aware of a report that this issue may have been actively exploited,” the iPhone maker acknowledged in a brief statement, adding that it resolved the flaw with improved related controls.
An anonymous researcher is credited with reporting the deficiencies. It’s worth noting that CVE-2022-32917 is also the second Kernel-related zero-day flaw that Apple has patched in less than a month.
Patches are available on iOS 15.7, iPadOS 15.7, iOS 16, macOS Big Sur 11.7, and macOS Monterey 12.6. iOS and iPadOS updates cover iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (generation 7th).
With the latest patches, Apple has addressed seven actively exploited zero-day flaws and one publicly known zero-day vulnerability since the beginning of the year –
- CVE-2022-22587 (IOMobileFrameBuffer) – A malicious application may be able to execute arbitrary code with kernel privileges
- CVE-2022-22594 (WebKit Storage) – A website may be able to track sensitive user information (publicly known but not actively used)
- CVE-2022-22620 (WebKit) – Maliciously crafted web content processing can lead to arbitrary code execution
- CVE-2022-22674 (Intel Graphics Driver) – An application may be able to read kernel memory
- CVE-2022-22675 (AppleAVD) – An application may be able to execute arbitrary code with kernel privileges
- CVE-2022-32893 (WebKit) – Maliciously crafted web content processing can lead to arbitrary code execution
- CVE-2022-32894 (Kernel) – An application may be able to execute arbitrary code with kernel privileges
In addition to CVE-2022-32917, Apple has introduced 10 security holes in iOS 16, which include Contacts, Kernel Maps, MediaLibrary, Safari, and WebKit. The iOS 16 update is also notable for the inclusion of a new block mode that is designed to make zero-click attacks more difficult.
iOS further introduces a feature called Rapid Security Response that makes it possible for users to automatically install security fixes on iOS devices without a full OS update.
“Rapid security fixes deliver important security improvements sooner, before they become part of other improvements in a future software update,” Apple said in a revised support document published Monday.
Finally, iOS 16 also brings support for passkeys to the Safari web browser, a passwordless login mechanism that allows users to sign in to websites and services by authenticating via Touch ID or Face ID.