📱 2022-04-01 02:51:09 – Paris/France.
Apple on Thursday released patches for two critical zero-day vulnerabilities in iPhones, iPads and Macs that give hackers dangerous access to internal components of the operating systems the devices run on.
Apple credited an anonymous researcher with discovering the two vulnerabilities. The first vulnerability, CVE-2022-22675, resides in macOS for Monterey and in iOS or iPadOS for most iPhone and iPad models. The flaw, which stems from an out-of-bounds write issue, gives hackers the ability to execute malicious code that runs with privileges to the kernel, the most security-sensitive region of the operating system. CVE-2022-22674, meanwhile, also results from an out-of-bounds read issue that can lead to kernel memory disclosure.
Apple disclosed rudimentary details about the flaws here and here. "Apple is aware of a report that this issue may have been actively exploited," the company wrote of the two vulnerabilities.
Advertising
Apple Zero Days Rain
CVE-2022-22674 and CVE-2022-22675 are the fourth and fifth zero-days fixed by Apple this year. In January, the company released patches for iOS, iPadOS, macOS Monterey, watchOS, tvOS, and HomePod Software to address a zero-day memory corruption flaw that could give exploits the ability to execute code with the privileges of the core. The bug, tracked as CVE-2022-22587, resided in the IOMobileFrameBuffer. A separate vulnerability, CVE-2022-22594, allowed websites to track sensitive user information. The exploit code for this vulnerability was made public before the patch was released.
Apple released a free use-after-bug patch in the Webkit browser engine in February that gave attackers the ability to run malicious code on iPhones, iPads and iTouches. Apple said reports received indicated that the vulnerability - CVE-2022-22620 - could also have been actively exploited.
A spreadsheet Google security researchers maintain to track zero-days shows that Apple patched a total of 12 such vulnerabilities in 2021. Among those was a flaw in iMessage that the spyware framework Pegasus targeted using a zero-click exploit, meaning devices were infected simply by receiving a malicious message, with no user action required. Two zero days that Apple patched in May allowed attackers to infect fully up-to-date devices.
SOURCE: Reviews News
Do not hesitate to share our article on social networks to give us a solid boost. 📱