This week Apple released an emergency update to address a new zero-day vulnerability that affects macOS and iOS.
CVE-2022-32917 Zero-Day: Overview
Reports indicate that the zero-day has already been exploited in the wild. Tracked as CVE-2022-32917 and reported anonymously, the flaw could allow malicious applications to perform arbitrary code execution attacks with kernel privileges.
The list of affected Apple devices includes iPhone 6 and later, all models of iPad Pro, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, 7th generation of iPod touch, and macOS Big Sur 11.7 and macOS Monterey 12.6. Apple has confirmed the exploitation of CVE-2022-32917. The flaw was addressed with improved bounds checks, the company said.
It is also notable that Apple backported the patch for CVE-2022-32894, which is another zero-day, in macOS Big Sur 11.7 following the release of additional security updates on August 31 to fix the same issue in older iPhones and iPads.
What Is Backporting?
Backporting occurs when a software patch or update is taken from a recent software version and applied to an older version of the same software. Backporting is common in legacy applications or older versions still supported by the developer.
All affected users should upgrade their Apple devices against the vulnerabilities as soon as possible. Even though the zero-days were most likely used in highly-targeted attacks, the risk of leaving your devices exposed to attacks is real.
In August, the company fixed two other zero-days in macOS, iOS and iPadOS. The zero-days, known as CVE-2022-32893 and CVE-2022-32894 (the patch for which was just backported), have been exploited in the wild against exposed devices. Both issues were fixed with improved bounds checking.