In order to prevent attackers from remotely executing malicious code that has the greatest privileges inside the operating system kernel of fully updated iPhones and iPods, Apple fixed the high-severity zero-day vulnerability on Monday.
In a security report, Apple used the phrase “may have been actively exploited,” which is industry lingo for saying a previously undiscovered vulnerability is being used to attack systems. The memory corruption flaw was caused by an “out-of-bounds write,” which occurred when Apple software wrote code or data outside of a buffer that was supposed to be protected. Such flaws are frequently exploited by hackers in order to direct malicious code into OS-critical areas and then trigger its execution.
Without going into any detail, Apple stated that an “anonymous researcher” had disclosed the issue.
According to a spreadsheet kept up to date by Google researchers, Apple has patched seven zero-day vulnerabilities so far this year, excluding CVE-2022-42827. If you include this most recent one, Apple will have eight zero-day vulnerabilities in 2022. CVE-2022-42827, according to Bleeping Computer, is Apple’s ninth zero-day vulnerability patched in the previous 10 months.
Zero-day vulnerabilities are flaws that are found and either aggressively disclosed or used to their fullest extent before the responsible vendor has a chance to patch them. Zero-day vulnerabilities frequently sell for $1 million or more. Attackers that have access to zero-day vulnerabilities often work for nation-states or other large, well-funded organizations, and they typically conduct highly focused campaigns to exploit the flaws in order to safeguard their investment. The vendor is typically rapidly patched after learning of the zero-day, which lowers the value of the exploit.
It is exceedingly improbable given the economics that this vulnerability has been used to target the majority of individuals. However, now that a fix is accessible, more attackers will have the chance to dissect it to produce their own exploits to employ against unpatched devices. Affected users—including those using iPhone 8 and later, iPad Pros, iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later—should ensure they’re running iOS 16.1 or iPadOS 16.
Rushes out has been changed to releases in the post’s title, and “and” has been added to the lower deck.
The updates also address 19 other security flaws, including CVE-2022-42827 and two kernel flaws, three Point-to-Point Protocol flaws, two WebKit flaws, and one flaw in each of AppleMobileFileIntegrity, Core Bluetooth, IOKit, and this iOS sandbox.
Besides CVE-2022-42827, the updates fix 19 other security vulnerabilities, including two in the kernel, three in Point-to-Point Protocol, two in WebKit, and one each in AppleMobileFileIntegrity, Core Bluetooth, IOKit, and this iOS sandbox.