Apple released an emergency update to address two zero-day vulnerabilities. The vulnerabilities are tracked as CVE-2022-32893 (out-of-bounds in WebKit) and CVE-2022-32894 (out-of-bounds issue in the operating system’s Kernel). This year apple addressed a total of 6 zero-day vulnerabilities. Therefore, a good vulnerability management tool can solve these issues.
The patch for this issue is included in recent releases for macOS and other Apple products. Apple is aware that threat actors use these vulnerabilities to exploit the wild. Apple has also released an update for watchOS (watchOS 8.7.1), but no CVE is associated with that update. However, A Vulnerability Management Software can prevent these attacks.
- CVE-2022-32893: Attackers use malicious websites which mislead iPhones, iPads, and Macs into running unapproved and untrusted software programs utilizing Apple’s HTML rendering software (WebKit) which will finally lead to remote code execution.
Safari and other web-accessible apps run on the WebKit web browser engine.
- CVE-2022-32894: An attack which has already access by using CVE-2022-32893 on an Apple device may move from managing just one app to manipulating the entire operating system kernel, however gaining superuser privileges typically only granted to Apple.
Impact of CVE-2022-32893
- Spy on all running applications
- Without visiting the App Store, download and launch new applications.
- Modify the system security configurations
- Monitor your web usage
- Use the device’s cameras
- Turn on the microphone
- Capture screenshots
- Find your geo-location
and much more.
- Macs running macOS Monterey
- iPhone 6s and later
- iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini four and later, and iPod touch (7th generation).
Solution for CVE-2022-32893
- macOS Monterey 12.5.1
- iOS 15.6.1
- iPadOS 15.6.1
The standalone update is also released for Safari, which will take you to Safari 15.6.1. Simply updating Safari will not patch CVE-2022-32893 and CVE-2022-32894. Therefore, Safari can’t be considered as a workaround, other apps can access the web which will trigger the vulnerability.