Apple has issued security fixes to address a zero-day vulnerability that attackers can use to target Macs and Apple Watch devices. Zero-day vulnerabilities are defects in software that the vendor is ignorant of and has not yet fixed. Before a fix is released, this vulnerability may have publicly available proof-of-concept exploits or be actively exploited in the wild.
In security advisories released on Monday, Apple stated that they are aware of allegations that this security flaw “may have been actively exploited.” The weakness is an out-of-bounds write vulnerability in AppleAVD (a kernel extension for audio and video decoding) that allows applications to run arbitrary code with kernel privileges.
Apple patched the flaw in macOS Big Sur 11.6., watchOS 8.6, and tvOS 15.5 with enhanced bounds checking after anonymous researchers reported it. Apple Watch Series 3 or later, Macs running macOS Big Sur, Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD are all affected. While Apple acknowledged instances of active exploitation in the wild, it provided no other information on the attacks.
By withholding information, Apple presumably hopes to provide security patches to as many Apple Watches and Macs as possible before attackers catch up on the zero-specific days and use vulnerabilities in other cyberattacks. Even though this zero-day was most likely only exploited in targeted attacks, it’s still critical to install today’s macOS and watchOS security patches as soon as possible to prevent attacks.
In January, Apple addressed two other zero-day vulnerabilities that let attackers obtain arbitrary code execution with kernel privileges (CVE-2022-22587) and track web surfing activities and user identities in real-time (CVE-2022-22594). One month later, Apple published security upgrades to address a new zero-day problem (CVE-2022-22620) that may be used to hack iPhones, iPads, and Macs, resulting in OS failures and remote code execution.
Two additional actively exploited zero-days in the Intel Graphics Driver (CVE-2022-22674) and the AppleAVD video decoder (CVE-2022-22675) were discovered in March, the latter being backported today in earlier macOS versions, watchOS 8.6, and tvOS 15.5. These five zero-day vulnerabilities affect iPhones (iPhone 6s and later), Macs running macOS Monterey, and various iPad devices. Throughout last year, Apple fixed a slew of zero-day vulnerabilities discovered in the wild and targeted iOS, iPadOS, and macOS devices.