Apple has released security updates addressing another zero-day, the eighth one this year, that has been exploited to attack iPhones and Macs since the beginning of the year. The vulnerability tracked as CVE-2022-32917 allowed maliciously made apps to run arbitrary code with kernel privileges.
The flaw was reported to Apple by an anonymous researcher and has been fixed in iOS 15.7 and iPadOS 15.7, macOS Monterey 12.6, and macOS Big Sur 11.7 which introduces improved bounds checks. Additionally, the next big iPhone update, iOS 16 is also available starting September 12.
While Apple has confirmed that it knows about the vulnerability currently being exploited in the wild, the company hasn’t revealed any details about the attack vector or how it is actually being exploited. This is usually done to allow most customers to update their devices before additional threat actors can develop their own exploits to target unsuspecting users.
The impacted devices include the following.
- iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation
- and Macs running macOS Big Sur 11.7 and macOS Monterey 12.6
Patches for another zero-day vulnerability tracked as CVE-2022-32894 were also released for Macs running macOS Big Sur 11.7 after the bug was previously fixed on iOS in an August 31 update.
The zero-day fixed in the latest update is likely to be used in highly targeted attacks meaning while it won’t impact a majority of Apple users, it’s still recommended that users update to the latest iOS, iPadOS and macOS versions to fend off any potential attacks.
iPhone’s next big update iOS 16 is also available starting September 12 for iPhone 8 and later. The update was announced at WWDC earlier this year and brings major improvements to the lock screen, iMessage, Photos, Maps and improved privacy features.