Apple released macOS Monterey 12.5.1 and iOS 15.6.1 (same for iPadOS) to patch two zero-day vulnerabilities that have been reported to be actively exploited to hack Macs, iPhones and iPads. The two vulnerabilities, tracked as CVE-2022-32893 and CVE-2022-32894, are the same for all three Apple operating systems.
The first one, CVE-2022-32893 is an out-of-bounds write vulnerability in the operating system’s kernel. Exploitation can lead to code execution with kernel privileges (the highest privilege possible) meaning malware can perform any command on the exploited device, essentially taking full control.
The second vulnerability, CVE-2022-32894 is also an out-of-bounds write vulnerability in WebKit, Apple’s in-house web browser engine used by Safari and other apps that can access the web. Exploiting this flaw gives an attacker the ability to run arbitrary code on the target device. Since it’s in a web engine, there’s a good chance that the vulnerability can be exploited remotely by leading the victim to a malicious website.
All devices running macOS Monterey, iPhone 6s and later, all models of the iPad Pro, iPad Air 2 and later, iPad 5th generation and later, iPad Mini 4 and later as well as the seventh generation iPod Touch are all vulnerable to the two bugs.
The vulnerabilities were reported to Apple by anonymous developers and have been fixed in the aforementioned OS updates with improved bounds checking for both bugs. Reportedly these vulnerabilities were only exploited in targeted attacks, but it’s still strongly recommended that you install them as soon as possible.
Apple seems to be dropping the ball this year with security, one of Apple’s prime reasons for claiming iOS is better than Android. So far in 2022 Apple has patched seven zero-days — two in January, one in February, two in March and now another two in August.
Outside of fixing vulnerabilities, another security issue that has recently come into the limelight again is the ineffectiveness of VPN apps on iPhones, as well as TikTok’s iOS app’s in-app browser potentially keylogging its users.
In the News: TikTok might be keylogging your iPhone