Two zero-days were fixed by Apple in the following operating systems – macOS, iOS and iPadOS. The zero-days, known as CVE-2022-32893 and CVE-2022-32894, have been exploited in the wild against exposed devices.
CVE-2022-32893 and CVE-2022-32894 in macOS, iOS and iPadOS
CVE-2022-32893 is an out-of-bounds flaw in WebKit allowing arbitrary code execution by processing specially crafted web content. CVE-2022-32894 is also an out-of-bands issue in Kernel that could be leveraged in arbitrary code execution attacks carried out with the highest privileges possible.
Both vulnerabilities were fixed with improved bounds checking. Technical details surrounding the vulnerabilities are scarce. In terms of how the flaws were exploited, it is most likely that they were used in highly targeted attacks.
In July, Apple fixed a total of 37 software vulnerabilities in its operating systems iOS, iPadOS, macOS, tvOS, and watchOS. The flaws affected different parts of the operating systems, and could be used for escalation of privilege, arbitrary code execution, information disclosure and denial-of-service attack scenarios.