Apple has released a new update that seeks to fix two zero-day vulnerabilities hackers have been expoliting. These vulnerabilities have made it possible to hack iPhones, iPads, and Macs.
Apple's New Update Fixes Zero-Day Vulnerabilities Used in Hacks
Apple has a new update that focuses on fixing two zero-day vulnerabilities. These vulnerabilities have been exploited by hackers and used to hack Apple devices.
According to a report by BleepingComputer, there are two zero-day vulnerabilities that the update is fixing. One of which is "an out-of-bounds write issue (CVE-2022-22674) in the Intel Graphics Driver that allows apps to read kernel memory."
The other vulnerability is CVE-2022-22675, an out-of-bounds issue found in the AppleAVD media decoder. This particular vulnerability "will enable apps to execute arbitrary code with kernel privileges," per the report.
Apple has said that it is aware that these vulnerabilities may have exploited by attackers. BleepingComputer's report, however, has pointed out that should they have been exploited, it is most likely for targeted attacks.
The impacted devices include iPhone 6s and later models as well as Macs running on macOS Monterey. As for the iPad devices, the following have been impacted:
- iPad 5th generation and later
- iPad Air 2 and later
- iPad mini 4 and later
- iPod touch 7th generation
- iPad Pro (all devices)
Read Also: Mozilla Releases Fixes Two Zero-Day Bugs: What are Use-After-Free Bugs?
A Total of Five Zero-Day Vulnerabilities for Apple So Far
Ars Technica mentions in its report that the two zero-day vulnerabilities that the latest update is fixing is already the fourth and fifth ones Apple has had to patch for 2022.
In january, a bug known as CVE-2022-22587 that resided in the IOMobileFrameBuffer had to be patched quickly by Apple. Patches that were released by the tech giant for that specific vulnerability applies to the iOS, iPadOS, macOS Monterey, watchOS, tvOS, and even the HomePod Software.
The second vulnerability that Apple had to patch for the year, CVE-2022-22594, made users vulnerable to websites trying to track their sensitive information.
Lasly, the third vulnerability, CVE-2022-22620, was patched by Apple in February. It gave hackers the opportunity to run malicious codes on affected devices.
What is a Zero-Day Vulnerability?
Norton has defined a zero-day vulnerability, otherwise known as a zero-day threat, as "a flaw in security software that's unknown to someone interested in mitigating the flaw, like a developer."
The particular security flaw often starts out as unknown to software developers, meaning only hackers know about this existence. Because software developers are unaware of the flaw to begin with, there is no patch that is readily available to fix it.
The zero-day vulnerability becomes a zero-day exploit when hackers take advantage of the flaw. The zero-day exploit then turns into a zero-day attack when the said exploit is used by attackers to commit a cyberattack.
Related Article: Google Chrome Security Update: CVE-2022-1096 a High-Severity Zero-Day Exploit
