Apple releases fixes for two zero-days affecting Macs, iPhones and iPads
Apple released fixes for CVE-2022-22675 and CVE-2022-22674, both of which were submitted by anonymous researchers.
“Apple is aware of a report that this issue may have been actively exploited,” the tech giant said of both vulnerabilities.
CVE-2022-22675 relates to an out-of-bounds write issue affecting the AppleAVD media decoder. Apple said it was addressed with improved bounds checking.
The company explained that the vulnerability would allow an attacker to take over a device and execute arbitrary code with kernel privileges.
CVE-2022-22674 is a similar out-of-bounds read issue affecting the Intel Graphics Driver that “may lead to the disclosure of kernel memory and was addressed with improved input validation.”
For Macs, the update is included in macOS Monterey 12.3.1. iPhones and iPads have the update in iOS 15.4.1 and iPadOS 15.4.1.
The fix is for iPhone 6s and later, all iPad Pro models, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
Apple declined to comment further about reports of the zero-days being exploited in the wild.
|CVE-2022-22587||January 27||A memory corruption issue affecting iOS, iPadOS, and macOS Monterey.|
|CVE-2022-22594||January 27||A cross-origin issue affecting iOS, iPadOS, watchOS, tvOS, and macOS Monterey.|
|CVE-2022-22620||February 10||A use after free issue affecting iOS, iPadOS, and macOS Monterey.|
|CVE-2022-22675||March 31||An out-of-bounds write issue affecting iOS, iPadOS, and macOS Monterey.|
|CVE-2022-22674||March 31||An out-of-bounds read issue affecting macOS Monterey.|