You are currently viewing Apple Addresses Two Wildly Exploited Zero-Day Vulnerabilities!

Apple Addresses Two Wildly Exploited Zero-Day Vulnerabilities!

Apple released an emergency update to address two zero-day vulnerabilities. The vulnerabilities are tracked as CVE-2022-32893 (out-of-bounds in WebKit) and CVE-2022-32894 (out-of-bounds issue in the operating system’s Kernel). This year apple addressed a total of 6 zero-day vulnerabilities.

The patch for this issue is included in recent releases for macOS and other Apple products. Apple is aware that threat actors use these vulnerabilities to exploit the wild. Apple has also released an update for watchOS (watchOS 8.7.1), but no CVE is associated with that update.  


Technical Details

  • CVE-2022-32893: Attackers use malicious websites which mislead iPhones, iPads, and Macs into running unapproved and untrusted software programs utilizing Apple’s HTML rendering software (WebKit) which will lead to remote code execution.

Safari and other web-accessible apps run on the WebKit web browser engine.

  • CVE-2022-32894: An attacker who has already gotten access by using CVE-2022-32893 on an Apple device may move from managing just one app to manipulating the entire operating system kernel, gaining superuser privileges typically only granted to Apple.


Impact

  1. Spy on all running applications
  2. Without visiting the App Store, download and launch new applications.
  3. Modify the system security configurations
  4. Monitor your web usage
  5. Use the device’s cameras
  6. Turn on the microphone
  7. Capture screenshots
  8. Find your geo-location

and much more.


Affected Products

  1. Macs running macOS Monterey
  2. iPhone 6s and later
  3. iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini four and later, and iPod touch (7th generation).


Solution

  1. macOS Monterey 12.5.1
  2. iOS 15.6.1
  3. iPadOS 15.6.1

The standalone update is also released for Safari, which will take you to Safari 15.6.1. Simply updating Safari will not patch CVE-2022-32893 and CVE-2022-32894. Safari can’t be considered as a workaround, other apps can access the web which will trigger the vulnerability.


SanerNow VM and SanerNow PM detect the vulnerabilities and automatically fixes them by applying the security update. Use SanerNow and keep your systems updated and secure.

0 0 votes
Article Rating
Subscribe
Notify of

0 Comments
Inline Feedbacks
View all comments