Patch Now: 2 Apple Zero-Days Exploited in Wild

  /     /     /  
Publicated : 23/11/2024   Category : security


Patch Now: 2 Apple Zero-Days Exploited in Wild


The fact that the flaws enable remote code execution, exist across all major Apple OS technologies, and are being actively exploited heightens the need for a quick response.



Security researchers are urging users of Apple Mac, iPhone, and iPad devices to immediately update to newly released versions of the operating systems for each technology, to mitigate risk from two critical vulnerabilities in them that attackers are actively exploiting.
The zero-day flaws allow threat actors to take complete control of affected devices. They impact users of iPhone 6s and later, all models of iPad Pro, iPod touch (7th generation), iPad Ai2 and later, iPad 5th generation and later, and iPad mini 4 and later. Also affected are users with Macs running macOS Monterey, macOS Big Sur, and macOS Catalina. Apple disclosed the vulnerabilities and the updates addressing them on Wednesday.
One of the zero-days (CVE-2022-32893) exists in WebKit, Apples browser engine for Safari and for all iOS and iPadOS Web browsers. Apple described the flaw as tied to an out-of-bounds write issue that attackers could use to remotely take control of vulnerable devices. Processing maliciously crafted web content may lead to arbitrary code execution, Apple warned in one of its typically terse vulnerability disclosures this week. Apple is aware of a report that this issue may have been actively exploited, the company noted.
The other vulnerability (CVE-2022-32894) is also an out-of-bounds write flaw that gives attackers a way to execute code with kernel-level privileges on vulnerable devices. Such vulnerabilities allow attackers to gain complete access to the underlying hardware. The company said it is aware of reports of attackers actively exploiting the bug.
Apple said it had implemented improved bounds checking in iOS 15.6.1, iPadOS 15.6.1,
macOS Monterey 12.5.1
, and
Safari 15.6.1
to address both issues.
Lisa Plaggemier, executive director of the National Cybersecurity Alliance, said the widespread use of Apples technologies puts both businesses and consumers at risk from the vulnerabilities. While cyber criminals will no doubt try to access personal information about consumers, accessing a business often has significantly more upside for malicious actors, she says.
In a blog, Sophos identified CVE-2022-32893 as having
potentially the wider impact
compared to the other flaw that Apple disclosed this week. The flaw gives attackers a way to set up booby-trapped Web pages that can trick Macs, iPhones, and iPads into running untrusted software. Simply put, a cybercriminal could implant malware on your device even if all you did was to view an otherwise innocent web page, the security vendor said.
The flaw has widespread impact because WebKit powers all Web rendering software on Apples mobile devices and is used widely by Mac users as well. The vulnerability impacts more applications and systems components than just the Safari browser itself, so steering clear of the browser alone is not enough to mitigate risk, Sophos said.
The WebKit component is particularly problematic, as it is the browser engine across all Apple software, says Rick Holland, chief information security officer and vice president of strategy at Digital Shadows. Apple users should patch now. These updates need to be applied as soon as possible.
Like many others have noted about the
sparse nature of software vendor vulnerability disclosures
recently, Holland too said it would have been more useful for defenders if Apple had provided more context and details around the flaws.
Apple is light on the technical details of this weeks two zero-day vulnerabilities, he says. However, it is never reassuring to see the phrase execute arbitrary code with kernel privileges, as Apples disclosure reads.
Defenders should push patches out immediately and send notifications that employees should be patching any personal iPhones, iPads, or Macs. These updates present a security awareness opportunity to discuss the risks to employees lives and provide patching instructions, including how to enable automatic updates.
Mike Parkin, senior technical engineer at Vulcan Cyber, says theres not enough information to determine how easily attackers can exploit these vulnerabilities. But reports about the flaws being already used in the wild is concerning, he says, especially because they allow for remote code execution. Apple products are widely used both in enterprise and consumer markets, and often overlap for people who work in Bring Your Own Device (BYOD) environments, he says. Given that, and the relative lack of detail, its hard to say wholl be more at risk.
Organizations should deploy the appropriate controls to minimize the risk to their environments, Parkin advocates. The ones that allow BYOD devices will face some additional challenges, as theyll need to address systems that they dont directly control.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Patch Now: 2 Apple Zero-Days Exploited in Wild