Apple published iOS 15.3 and macOS Monterey 12.2 on Wednesday, containing a fix for the Safari data issue as well as a zero-day hole that it claims has been exploited in the wild to break into its devices.
The vulnerability, dubbed CVE-2022-22587, stems from a memory corruption flaw in the IOMobileFrameBuffer component, which might be exploited by a malicious application to run arbitrary code with kernel privileges.
The iPhone manufacturer reported that ,” it’s aware of a report that this issue may have been actively exploited, and that it’s aware of a report that this issue may have been actively exploited, adding that it’s aware of a report that this issue may have been actively exploited. It didn’t say what kind of attacks were being carried out, how broad they were, or who was behind them.
After CVE-2021-30807 and CVE-2021-30883, CVE-2022-22587 is the third zero-day vulnerability reported in IOMobileFrameBuffer in six months. Apple fixed four further flaws in the kernel extension that manages the screen framebuffer in December 2021.
A recently revealed Safari vulnerability stemming from a flawed implementation of the IndexedDB API (CVE-2022-22594) that could be used by a malicious website to track users’ online activities in the web browser and even reveal their identity has also been patched by the tech giant.
Other flaws of note include —
- CVE-2022-22584 – A memory corruption issue in ColorSync that may lead to arbitrary code execution when processing a malicious crafted file.
- CVE-2022-22578 – A logic issue in Crash Reporter that could allow a malicious application to gain root privileges
- CVE-2022-22585 – A path validation issue in iCloud that could be exploited by a rogue application to access a user’s files.
- CVE-2022-22591 – A memory corruption issue in Intel Graphics Driver that could be abused by a malicious application to execute arbitrary code with kernel privileges.
- CVE-2022-22593 – A buffer overflow issue in Kernel that could be abused by a malicious application to execute arbitrary code with kernel privileges.
- CVE-2022-22590 – A use-after-free issue in WebKit that may lead to arbitrary code execution when processing maliciously crafted web content.
Finally the researchers concluded that ,” iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, iPod touch (7th generation) and macOS devices running Big Sur, Catalina and Monterey are all available for the updates.