Apple releases emergency patch for two iPhone, Mac zero-day vulnerabilities being exploited

Apple said hackers are actively exploiting two zero-day vulnerabilities in iPhones, iPads and Macs.

In an emergency patch announced this week, Apple released very little information about the bugs, only saying they were submitted anonymously and giving them CVE entries – CVE-2022-32894 and CVE-2022-32893. 

Apple said some iPod models, the iPhone 6S and later models, several models of the iPad, all iPad Pro models and the iPad Air 2 as well as all Mac computers running MacOS Monterey are affected by the bugs.

The vulnerabilities give an attacker the highest privileges in macOS, iPadOS, and iOS — effectively full control of a device. 

Robert Nickle, staff security intelligence engineer at Lookout, explained that the first bug is in “webkit” — the engine of the web browser on iOS. This is likely used as the entry point for an attack, meaning the attack is likely to be initiated by visiting a malicious website, Nickle said.

“The second vulnerability mentioned is in the kernel which then allows for a complete system take over,” he explained. 

The company did not respond to requests for comment about the vulnerabilities. Bugcrowd founder Casey Ellis said the vulnerabilities Apple described are “versatile to an attacker” and said an emergency patch was warranted considering an exploit already appears to be in active use. 

Others, like Digital Shadows’ Rick Holland, noted that Apple should provide more details in their security updates to give defenders additional context that would allow them to better mitigate the risk. 

“It is never reassuring to see the phrase 'execute arbitrary code with kernel privileges.' The WebKit component is also particularly problematic, as it is the browser engine across all Apple software; Apple users should patch now,” Holland said. “Enterprises still need to be concerned because even if you can patch the corporate devices, you can't update all the personal devices employees might use. A compromised personal device could result in initial access to the corporate environment.”

The zero-days would be the sixth and seventh vulnerabilities disclosed by Apple this year. The company reported 17 zero-days in 2021

Netenrich’s John Bambenek added that any vulnerability letting attackers get full privilege on an iPhone is “always very serious and should be addressed immediately.” 

“My hunch is that there were some targeted attacks against some group of people that got noticed and I imagine we’ll here more in the coming days,” he said.

Last month, Apple introduced a new "Lockdown Mode" designed to stop spyware sold to governments. Apple has in recent years been at war with spyware firms around the world that make millions from weaponizing zero-day vulnerabilities in the company's devices.

CVEPatch DateDescription
CVE-2022-22587January 27A memory corruption issue affecting iOS, iPadOS, and macOS Monterey.
CVE-2022-22594January 27A cross-origin issue affecting iOS, iPadOS, watchOS, tvOS, and macOS Monterey.
CVE-2022-22620February 10A use after free issue affecting iOS, iPadOS, and macOS Monterey.
CVE-2022-22675March 31An out-of-bounds write issue affecting iOS, iPadOS, and macOS Monterey.
CVE-2022-22674March 31An out-of-bounds read issue affecting macOS Monterey.
CVE-2022-32893August 17An out-of-bounds write issue affecting iOS, iPadOS, and macOS Monterey.
CVE-2022-32894August 17An out-of-bounds write issue affecting iOS, iPadOS, and macOS Monterey.
Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.