Apple released a major iOS update Monday with fixes for at least 20 documented security flaws, including a kernel flaw that is already being actively exploited in the wild.
The Cupertino-based device maker has confirmed active exploitation of CVE-2022-42827, warning in a basic advisory that the flaw exposes iPhones and iPads to arbitrary code execution attacks.
“An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited,” Apple said in a note documenting the security vulnerabilities.
As usual, Apple did not disclose details of the active exploit or provide any indicators of compromise or other data to help iOS users check for signs of infection.
The company described the exploited bug as an out-of-bounds write issue resolved with improved bounds checking and said it was reported by an anonymous researcher.
So far this year, there have been at least eight (8) documented zero-day attacks in the wild against Apple devices as the company’s security response teams scrambled to cover holes in its platforms. -flagship forms macOS, iOS and iPadOS.
[READ: Can ‘Lockdown Mode’ Solve Apple’s Mercenary Spyware Problem ]
The latest iOS 16.1 refresh also includes fixes for at least four additional issues that expose iOS devices to code execution attacks.
These include:
- CVE-2022-42813 — CFNetwork — Processing a maliciously crafted certificate may result in execution of arbitrary code A certificate validation problem existed in the handling of WKWebView. This issue was addressed through improved validation. Reported by Jonathan Zhang of Open Computing Facility.
- CVE-2022-42808 — Kernel — A remote user can cause kernel code to execute. An out-of-bounds write issue has been resolved with an enhancement. Reported by Zweig from Kunlun Lab
- CVE-2022-42823 — WebKit — Processing maliciously crafted web content may result in execution of arbitrary code. A type confusion issue was addressed through better memory management. Reported by Dohyun Lee (@l33d0hyun) of SSD Labs.
- CVE-2022-32922 — WebKit PDF — Processing maliciously crafted web content may result in execution of arbitrary code. A post-free usage issue has been addressed with better memory management. Reported by Yonghwi Jin to Theori.
The mobile security update also fixes flaws in AppleMobileFileIntegrity, AVEVideoEncoder, Core Bluetooth, GPU Drivers, IOHIDFamily, Sandbox and Shortcuts.
Related: Apple ships urgent security patches for macOS, iOS
Related: Apple releases patches for FORCEDENTRY Zero-Days
Related: Apple Warns Against MacOS Kernel Zero Day Exploit
Ryan Naraine is editor of SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a seasoned cybersecurity strategist who has implemented security engagement programs for major global brands including Intel Corp., Bishop Fox and GReAT. He is co-founder of Threatpost and the SAS Global Conference Series. Ryan’s previous career as a security journalist included articles in major technology publications, including Ziff Davis eWEEK, CBS Interactive’s ZDNet, PCMag and PC World. Ryan is a director of the nonprofit organization Security Tinkerers, an advisor to startup entrepreneurs, and a regular speaker at security conferences around the world.
Follow Ryan on Twitter @ryanaraine.
Key words:
