Apple has issued security patches to address two zero-day vulnerabilities, one of which has been publicly published and the other exploited in the wild by hackers to access iPhones and Macs. A memory corruption flaw in the IOMobileFrameBuffer, which targets iOS, iPadOS, and macOS Monterey, is the first zero-day (tracked as CVE-2022-22587) [1, 2] fixed.
On compromised devices, full exploitation of this flaw results in arbitrary code execution with kernel privileges. “Apple is aware of a report that this issue may have been actively exploited,” Apple stated while describing the zero-day flaw.
The following devices are affected:
- iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
- and macOS Monterey
The flaw was initially discovered by an anonymous cybersecurity researcher, Meysam Firouzi (@R00tkitSMM) of MBition – Mercedes-Benz Innovation Lab, and Siddharth Aeri (@b1n4r1b01). Both Firouzi and Aeri claimed to have discovered the vulnerability separately and were unaware that it had been exploited in the wild by threat actors.
The second zero-day is a Safari WebKit issue that allows websites to monitor your browsing activities and users’ identities in real-time on iOS and iPadOS. Martin Bajanik of FingerprintJS initially reported the flaw to Apple on November 28th, 2021, and it was officially publicized on January 14th, 2022. The vulnerability was given the CVE-2022-22594 designation when the researcher revealed it, and it was corrected in iOS 15.3 and iPadOS 15.3 security updates.
These flaws are Apple’s first zero-day vulnerabilities in 2022. On the other hand, Apple corrected what seemed like an endless series of zero-day defects that were exploited in attacks against iOS and macOS devices in 2021. The Pegasus spyware was installed on the iPhones of journalists, activists, and politicians using many zero-day vulnerabilities.