Apple on Monday disclosed and patched a kernel-level zero-day vulnerability affecting many of its iOS devices.
Apple disclosed the flaw, CVE-2022-42827, via its Oct. 24 iOS 16 security update. The bug is an out-of-bounds write issue that, if exploited, is capable of arbitrary code execution with kernel privileges. It was fixed with "improved bounds checking," Apple's security update read.
The severity of the flaw is unknown, and the bug was submitted by an anonymous researcher.
The flaw affects the bulk of modern Apple devices:
- iPhone 8 and later
- iPad Pro, all models
- iPad Air 3rd generation and later
- iPad 5th generation and later
- iPad mini 5th generation and later
The new iOS security update is particularly significant in that it includes 13 vulnerabilities capable of arbitrary code execution and nine involving the kernel in some capacity. However, CVE-2022-42827 is unique in that the tech giant "is aware of a report that this issue may have been actively exploited."
TechTarget Editorial reached out to Apple for additional information regarding the exploitation's scope, but the vendor declined to comment.
The reason the update contains a high number of significant vulnerabilities is unknown, though it could be the result of iOS 16's release -- Sept. 12 -- being so recent. For comparison, macOS Ventura, which released Tuesday, was accompanied by a separate security update containing fixes for more than 100 vulnerabilities with CVE designations.
A new blog post from Sophos provided additional context regarding the patched vulnerabilities, including CVE-2022-42827. The security vendor recommends patching early and often.
"Apple hasn't said which cybercrime group or spyware company is abusing this bug, dubbed CVE-2022-42827, but given the high price that working iPhone zero-days command in the cyberunderworld, we assume that whoever is in possession of this exploit [a] knows how to make it work effectively and [b] is unlikely to draw attention to it themselves, in order to keep existing victims in the dark as much as possible," Sophos principal research scientist and post author Paul Ducklin wrote.
CVE-2022-42827 is the latest zero-day disclosed for Apple devices this year. The vendor released emergency patches for two previously exploited bugs in March, and there have been numerous other zero-days affecting Apple products this year alone.
Alexander Culafi is a writer, journalist and podcaster based in Boston.