Skip to content
FIXES, FIXES. GET YOUR APPLE 0DAY FIXES.

Apple rushes out patches for two 0-days threatening iOS and macOS users

With 5 0-days this year, Apple is on track to meet or break its 2021 tally of 12.

Dan Goodin | 97
Credit: Getty Images
Story text

Apple on Thursday released fixes for two critical zero-day vulnerabilities in iPhones, iPads, and Macs that give hackers dangerous access to the internals of the OSes the devices run on.

Apple credited an anonymous researcher with discovering both vulnerabilities. The first vulnerability, CVE-2022-22675, resides in macOS for Monterey and in iOS or iPadOS for most iPhone and iPad models. The flaw, which stems from an out-of-bounds write issue, gives hackers the ability to execute malicious code that runs with privileges of the kernel, the most security-sensitive region of the OS. CVE-2022-22674, meanwhile, also results from an out-of-bounds read issue that can lead to the disclosure of kernel memory.

Apple disclosed bare-bones details for the flaws here and here. “Apple is aware of a report that this issue may have been actively exploited,” the company wrote of both vulnerabilities.

Raining down Apple zero-days

CVE-2022-22674 and CVE-2022-22675 are the fourth and fifth zero-days Apple has patched this year. In January, the company rushed out patches for iOS, iPadOS, macOS Monterey, watchOS, tvOS, and HomePod Software to fix a zero-day memory corruption flaw that could give exploiters the ability to execute code with kernel privileges. The bug, tracked as CVE-2022-22587, resided in the IOMobileFrameBuffer. A separate vulnerability, CVE-2022-22594, made it possible for websites to track sensitive user information. The exploit code for that vulnerability was released publicly prior to the patch being issued.

Apple in February pushed out a fix for a use after free bug in the Webkit browser engine that gave attackers the ability to run malicious code on iPhones, iPads, and iPod Touches. Apple said that reports it received indicated the vulnerability—CVE-2022-22620—might also have been actively exploited.

A spreadsheet Google security researchers maintain to track zero-days shows Apple fixed a total of 12 such vulnerabilities in 2021. Among those was a flaw in iMessage that the Pegasus spyware framework was targeting using a zero-click exploit, meaning devices were infected merely by receiving a malicious message, without any user action required. Two zero-days that Apple patched in May made it possible for attackers to infect fully up-to-date devices.

Listing image: Getty Images

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
97 Comments
Prev story
Next story