Apple has released a round of software updates for iOS, iPadOS, MacOS, and Safari and we highly recommend you install them as soon as possible. The updates patch kernel and WebKit flaws that could allow attackers to take over a device.
All devices running iOS and iPadOS 15.6, as well as macOS Monterey 12.5, are impacted by the vulnerability. The main flaw, CVE-2022-32894 impacts both mobile and desktop OS. CVE-2022-32894 is described by Apple as an “out-of-bounds write issue.” This allows attackers to execute arbitrary code with kernel privileges via a compromised application.
Apple didn’t give any examples but said the vulnerability has likely been exploited.
The second flaw, CVE-2022-32893, is a WebKit bug that also allows for “out of bound write issues.” CVE-2022-32893 allows for the processing of “maliciously crafted web content that can lead to code execution.” Apple said this CVE is also likely to have been exploited.
Both flaws offer attackers a near Pegasus-like amount of control over an end-users device if exploited correctly. Pegasus is software created by the Israeli-based NSO Group that’s been compromising iPhones the world over. We’ve previously covered that here and here.
You can read more about Apple’s security updates on this webpage: https://support.apple.com/en-us/HT201222
