Apple security update fixes zero-day vulnerability
Apple released a series of security updates for bugs that included a critical zero-day vulnerability in iOS and macOS that is being actively exploited in the wild.
Apple users would be well-advised to patch their devices following the release of a set of security fixes from the technology giant.
Ranging from the Apple Watch firmware to iOS, tvOS and various builds of macOS, the fixes include a number of critical code execution flaws that could allow for root-level takeover of a vulnerable device.
First and foremost on the patch list is CVE-2022-22587, a zero-day vulnerability in the IOBuffer component for iOS and pre-Catalina versions of macOS. The bug is already under active exploitation in the wild, according to Apple's advisory published Wednesday.
The vulnerability allows an already-installed application to gain root code execution privileges on a vulnerable device. Credit for the discovery was shared between an anonymous researcher, Meysam Firouzi from the Mercedes-Benz Innovation Lab, and Siddharth Aeri.
While Apple did not provide details as to how the vulnerability was being exploited, in the context of iOS such zero-day code execution flaws are often used to unlock or jailbreak phones.
Administrators should note that an exploit of CVE-2022-22587 would require the attacker to already be running local code on the device, either through a forced installation or through social engineering, such as tricking the target with a fake application. Apple did not provide details on how widespread the exploitation is at the moment.
The zero-day bug is part of a larger set of updates Apple has posted to address various security flaws in its platforms. The tech giant does not adhere to a set patch schedule in the way that Microsoft or Google do, but still posts several major firmware updates for its mobile and desktop devices every year.
For macOS Monterey and iOS 15.3, Apple's latest releases, the flaw is one of three code execution bugs addressed. Apple also fixed CVE-2022-22590 in WebKit and CVE-2022-22584 in ColorSync.
Users and administrators running Macs should update to Monterey 12.2, Big Sur 11.6.3 and Catalina 2022-001. For iOS, iPadOS, and tvOS, the update is version 15.3. Apple Watch users should update to watchOS 8.4.