Emergency patches that fix two zero-days in Apple’s macOS and iOS (reported anonymously) have been released. The company said the flaws have been exploited in the wild.
The vulnerabilities have been fixed in iOS and iPadOS 15.4.1, macOS Monterey 12.3.1, tvOS 15.4.1, and watchOS 8.5.1.
CVE-2022-22674 and CVE-2022-22675: Technical Details
CVE-2022-22675, which has been used in attacks, is an out-of-band write vulnerability located in the audio and video decoding component called AppleAVD. The vulnerability could lead to arbitrary code execution (also known as remote code execution) with kernel privileges. The vulnerability has been fixed with improved bounds checking.
The other vulnerability has been identified as CVE-2022-22674, which is an out-of-bounds read issue in the Intel Graphics Driver module. The issue could enable malicious actors to read kernel memory, and has also been addressed with improved input validation. There’s evidence for active exploits, too, Apple said.
Earlier this year, security researcher Ryan Pickren discovered and reported to Apple four macOS vulnerabilities that exposed Safari browser.
The researcher’s hack “successfully gained unauthorized camera access by exploiting a series of issues with iCloud Sharing and Safari 15.” As a result of the research, 4 zero-day flaws came out – CVE-2021-30861, CVE-2021-30975, and two without CVEs. Pickren reported the vulnerability chain to Apple and was awarded $100,500 as a bounty.