August 18, 2022

Apple Patches 2 Actively Exploited 0-Day RCE Vulnerabilities in MacOS & iOS

Apple has released an emergency update patching 2 actively exploited 0-day RCE vulnerabilities, one of which allows arbitrary code execution with kernel privileges.

Both vulnerabilities affect macOS ‘Monterey’, iOS and iPadOS.

The Vulnerabilities

• CVE-2022-32894 – An out-of-bounds write vulnerability in the kernel may allow an application to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
• CVE-2022-32893 – An out-of-bounds write vulnerability in WebKit, that allows processing maliciously crafted web content and may lead to arbitrary code execution.

Apple is aware of reports that both vulnerabilities may have been actively exploited, but did not release any additional information.

Affected Products

• Macs running macOS ‘Monterey’ prior to version 12.5.1.
• iPhones running iOS prior to 15.6.1
• iPads running iPadOS prior to 15.6.1

Mitigation

CYREBRO recommends to updating macOS ‘Monterey’ to version 12.5.1 or newer to mitigate the vulnerabilities.

For iPhones and iPads, update to version 15.6.1 or newer.

References: Apple Advisory