The vulnerabilities could allow threat actors to disrupt or access kernel activity and may be under active exploit.
Apple rushed out patches for two zero-days affecting macOS and iOS Thursday, both of which are likely under active exploitation and could allow a threat actor to disrupt or access kernel activity.
Apple released separate security updates for the bugs – a vulnerability affecting both macOS and iOS tracked as CVE-2022-22675 and a macOS flaw tracked as CVE-2022-22674. Their discovery was attributed to an anonymous researcher.
CVE-2022-22675 – found in the AppleAVD component present in both macOS and iOS – could allow an application to execute arbitrary code with kernel privileges, according to the advisory.
“An out-of-bounds write issue was addressed with improved bounds checking,” according to the advisory. “Apple is aware of a report that this issue may have been actively exploited.”
CVE-2022-22674 is described in the advisory as an “out-of-bounds read issue” in the Intel Graphics Driver of macOS that could allow an application to read kernel memory. Apple addressed the bug – which also may have been actively exploited – with improved input validation, the company said.
As is typical, Apple didn’t disclose more specifics on the issues and what exploits may be occurring. It won’t do so until it completes its investigation of the vulnerabilities, according to the advisory. However, customers are urged to update devices as soon as possible to patch the bugs.
The vulnerabilities represent the fourth and fifth zero-day flaws patched by Apple this year. That number is well on track to meet or supersede the number of these types of vulnerabilities that Apple was forced to respond to with fixes last year, which was 12, according to security researchers at Google, which keeps a spreadsheet of zero-day flaws categorized by vendor.
To start off 2022, in January, Apple patched two zero-day bugs, one in its device OSes and another in the WebKit engine at the foundation of its Safari browser. Then in February, Apple fixed another actively exploited WebKit bug, a use-after-free issue that allowed threat actors to execute arbitrary code on affected devices after they process maliciously crafted web content.
Last year, the company grappled with a number of WebKit zero-days as well as other key fixes that required emergency updates for its various OSes, according to the Google spreadsheet.
One of those flaws was at the center of one of the biggest security controversies of the year – a zero-click vulnerability targeting iMessage dubbed “ForcedEntry” that NSO Group’s Pegasus spyware allegedly exploited to spy on activists and journalists. The situation eventually led to legal action being taken against the Israeli-based company by Facebook/Meta subsidiary WhatsApp as well as Apple.