Apple Fixes Actively Exploited iOS and iPadOS Zero-Day Vulnerability


Apple released new updates on Monday to patch a zero-day vulnerability in iOS and iPadOS devices that has reportedly been actively exploited in the wild.

The out-of-bounds write issue in the kernel (tracked CVE-2022-42827) could be exploited by rogue applications to execute arbitrary code with admin privileges.

“Apple is aware of a report that this issue may have been actively exploited,” the company wrote. “An out-of-bounds write issue was addressed with improved bounds checking.”

The update is available for iPhone 8 and later, iPad Pro (all models), iPad 5th generation and later, iPad Air 3rd generation and later and iPad mini 5th generation and later. An anonymous researcher has been credited for discovering the vulnerability.

The fixed vulnerability is the third of this kind Apple fixed over the last couple of months after CVE-2022-32894 and CVE-2022-32917, both of which were also reportedly exploited in the wild.

Beyond CVE-2022-42827, the latest update from Apple also patches up 19 other security vulnerabilities. Of these, CVE-2022-42813, CVE-2022-42808, CVE-2022-42823 and CVE-2022-32922 could all lead to arbitrary code execution.

A complete list of the vulnerabilities fixed this week in iOS 16.1, including those affecting AppleMobileFileIntegrity, AVEVideoEncoder, Core Bluetooth, GPU Drivers, IOHIDFamily, Sandbox and Shortcuts, is available on the company’s changelog page for the iOS 16.1 update.

More generally, there have been at least eight documented in-the-wild zero-day attacks against Apple devices this year across macOS, iOS and iPadOS devices.

In all of these cases, Apple did not disclose details on the active exploitation or provide indicators of compromise (IoC) or other data to aid iOS users in looking for signs of infections.

The iOS 16.1 update comes weeks after Fast Company’s Apple News account was breached and sent obscene push notifications to users on their mobile devices. The account was then removed by Apple News and has not been added back at the time of writing. 



Source link