On 17 August, Apple issued an emergency security update for vulnerabilities affecting multiple devices, noting that they are already being exploited by threat actors. We recommend applying the latest updates as soon as possible.
Details
Apple released advisories on two critical vulnerabilities fixed as part of the August emergency updates. The flaws are as follows:
- CVE-2022-32893 affects WebKit, a browser engine developed by Apple and used in its Safari web browser, as well as browsers used in iOS and iPadOS, and in Apple devices using WebView. The flaw could allow for remote code execution via malicious web content presented by a threat actor.
- CVE-2022-32894 is an out-of-bounds write issue that could allow applications to execute code with kernel privileges. Using the WebKit vulnerability above, a threat actor could obtain access to an application. They could then leverage CVE-2022-32894 to obtain administrative privileges and bypass security restrictions on a vulnerable device.
Apple reported that these issues have been actively exploited but did not provide any details on the exploitation.
Apple has released macOS Monterey 12.5.1, iOS 15.6.1, iPadOS 15.6.1, and Safari 15.6.1 to address these vulnerabilities.
Recommendations
- If you are using any of the vulnerable Apple products, ensure you have the latest updates installed.
- Check for and install software updates on your device manually by going to Settings > General > Software Update.
References