Apple has released an urgent security patch that addresses multiple flaws in different versions of iOS, iPad OS, and macOS. Some of these flaws, the company confirmed, are being actively abused in the wild.
“Apple is aware of a report that this issue may have been actively exploited.” the company said in a security advisory (opens in new tab) without going into detail about who is abusing what, exactly.
The patch fixes a total of five security updates, covering 16 CVEs affecting Safari 16 (opens in new tab) on macOS (opens in new tab) Big Sur, macOS Monterey, iOS 16 on iPhone 8 and newer, as well as macOS Monterey 12.6, macOS Big Sur 11.7, and iOS 15.7 and iPadOS 15.7 on most of its devices. The company is also working to address the issues on tvOS.
Arbitrary code execution
Of all the CVEs addressed in this security update, two are being actively exploited, as they allow for arbitrary code execution, it was said.
One is CVE-2022-32917, which allows malicious apps to execute arbitrary code with kernel privileges. This one was fixed, the company said, with improved bounds checks. The second one is CVE-2022-32894, abused against computers running macOS Big Sur 11.7. This one also allows for arbitrary code execution, and is caused by an out-of-bounds write flaw. Apple fixed this one the same way, with improved bounds checking.
Anonymous tipsters drew Apple’s attention to these flaws, the company added.
The fixes were released mere days after Apple introduced iOS 16, a release that brings improvements to many apps, from a redesigned Home app for your smart appliances to better privacy features, and a big focus on the lock screen, with new fonts, colors, and themes to choose from.
There’s also satellite calling coming to the newly-announced iPhone 14 models, a feature coming in November 2022.
Via: The Register (opens in new tab)
