Apple recently released updates to fix a zero-day, known as CVE-2022-42827, in iOS and iPadOS. According to the company, the vulnerability, which was reported anonymously, has been exploited in the wild.
CVE-2022-42827 in Detail
The vulnerability is an out-of-bounds write issue in the Kernel, and has been addressed with improved bounds checking. In terms of its impact, an application could execute arbitrary code with kernel privileges. Owners of iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later, should install the update immediately.
Technical details surrounding the zero-day are scarce. In terms of how the flaw was exploited, it may have been used in targeted attacks, but Apple hasn’t shared additional details.
What Is an Out-of-Bounds Write Vulnerability?
According to CWE’s definition, this type of a vulnerability refers to the software writing data past the end, or before the beginning, of the intended buffer. This issue can result in corruption of data, a crash, or execution of code. In other words, exploitation may occur when a program attempts to write data to a memory location outside of the bounds it is allowed to access. This can lead to data corruption, crashes, or code execution.
The generic term “memory corruption” is often used to describe the consequences of writing to memory outside the bounds of a buffer, or to memory that is invalid, when the root cause is something other than a sequential copy of excessive data from a fixed starting location. This may include issues such as incorrect pointer arithmetic, accessing invalid pointers due to incomplete initialization or memory release, etc, as per CWE’s definition.
This zero-day is not the only fixed vulnerability in this update, as it also addressed 19 other issues in various components, such as Kernel, WebKit, Core Bluetooth, Sandbox, and others.
In August, Apple fixed two other out-of-bounds zero-days that affected macOS, iOS and iPadOS. The zero-days, known as CVE-2022-32893 and CVE-2022-32894, were also used in attacks in the wild. Both vulnerabilities were fixed with improved bounds checking.