Apple releases emergency patch for two iPhone, Mac zero-day vulnerabilities being exploited

Apple said hackers are actively exploiting two zero-day vulnerabilities in iPhones, iPads and Macs.

In an emergency patch announced this week, Apple released very little information about the bugs, only saying they were submitted anonymously and giving them CVE entries – CVE-2022-32894 and CVE-2022-32893. 

Apple said some iPod models, the iPhone 6S and later models, several models of the iPad, all iPad Pro models and the iPad Air 2 as well as all Mac computers running MacOS Monterey are affected by the bugs.

The vulnerabilities give an attacker the highest privileges in macOS, iPadOS, and iOS — effectively full control of a device. 

Robert Nickle, staff security intelligence engineer at Lookout, explained that the first bug is in “webkit” — the engine of the web browser on iOS. This is likely used as the entry point for an attack, meaning the attack is likely to be initiated by visiting a malicious website, Nickle said.

“The second vulnerability mentioned is in the kernel which then allows for a complete system take over,” he explained. 

The company did not respond to requests for comment about the vulnerabilities. Bugcrowd founder Casey Ellis said the vulnerabilities Apple described are “versatile to an attacker” and said an emergency patch was warranted considering an exploit already appears to be in active use. 

Others, like Digital Shadows’ Rick Holland, noted that Apple should provide more details in their security updates to give defenders additional context that would allow them to better mitigate the risk. 

“It is never reassuring to see the phrase 'execute arbitrary code with kernel privileges.' The WebKit component is also particularly problematic, as it is the browser engine across all Apple software; Apple users should patch now,” Holland said. “Enterprises still need to be concerned because even if you can patch the corporate devices, you can't update all the personal devices employees might use. A compromised personal device could result in initial access to the corporate environment.”

ATTENTION
Apple found two 0-days actively in use that could effectively give attackers full access to device.
For most folks: update software by end of day
If threat model is elevated (journalist, activist, targeted by nation states, etc): update now https://t.co/BUEn08260X

— Rachel Tobac (@RachelTobac) August 18, 2022

The zero-days would be the sixth and seventh vulnerabilities disclosed by Apple this year. The company reported 17 zero-days in 2021. 

Netenrich’s John Bambenek added that any vulnerability letting attackers get full privilege on an iPhone is “always very serious and should be addressed immediately.” 

“My hunch is that there were some targeted attacks against some group of people that got noticed and I imagine we’ll here more in the coming days,” he said.

Last month, Apple introduced a new "Lockdown Mode" designed to stop spyware sold to governments. Apple has in recent years been at war with spyware firms around the world that make millions from weaponizing zero-day vulnerabilities in the company's devices.