The shortcomings have been fixed as part of updates to iOS and iPadOS 15.4.1, macOS Monterey 12.3.1, tvOS 15.4.1, and watchOS 8.5.1. Both the vulnerabilities have been reported to Apple anonymously.
Tracked as CVE-2022-22675, the issue has been described as an out-of-bounds write vulnerability in an audio and video decoding component called AppleAVD that could allow an application to execute arbitrary code with kernel privileges.
Apple said the defect was resolved with improved bounds checking, adding it’s aware that “this issue may have been actively exploited.”
The latest version of macOS Monterey, besides fixing CVE-2022-22675, also includes remediation for CVE-2022-22674, an out-of-bounds read issue in the Intel Graphics Driver module, enabling a malicious actor to read kernel memory.
The bug was “addressed with improved input validation,” the iPhone maker noted, once again stating there’s evidence of active exploitation, while withholding additional details to prevent further abuse.
The latest updates bring the total number of actively exploited zero-days patched by Apple to four since the start of year, not to mention a publicly disclosed flaw in the IndexedDB API (CVE-2022-22594), which could be abused by a malicious website to track users’ online activity and identities in the web browser.
- CVE-2022-22587 (IOMobileFrameBuffer) – A malicious application may be able to execute arbitrary code with kernel privileges
- CVE-2022-22620 (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution
In light of active exploitation of the flaws, Apple iPhone, iPad, and Mac users are highly recommended to upgrade to the latest versions of the software as soon as possible to mitigate potential threats.
The iOS and iPad updates are available to iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).