Urgent security patch from Apple
Apple pushed emergency updates to their iOS, MacOS, iPadOS, and WatchOS (WatchOS has no published CVE yet) systems today in relation to two zero-day exploits said to have been used in the wild. We’re here to urge you to apply these updates as soon as possible.
About the vulnerabilities
There are two vulnerabilities that are addressed in this update.
The first is an out-of-bounds write issue within the kernel itself. If exploited, this could lead to arbitrary code execution with kernel privileges. In layman’s terms, arbitrary code execution means that an attacker can make the device run whatever code they want it to. Not good. This issue is being tracked as CVE-2022-32894.
The second is an out-of-bounds write issue with WebKit. WebKit, if you’re not familiar, iis a browser engine developed in-house by Apple and used in their Safari web browser. If the browser processes malicious web content, it could also lead to arbitrary code execution. Again, not good. This issue is being tracked as CVE-2022-32893 and WebKit Bugzilla: 243557
How to update
To update your iPhone, iPad, or Apple Watch go to Settings > General > Software Update. Make sure you’re connected to Wi-Fi and your device is plugged into power.
To update your Mac, go to the Apple icon in the top left corner of your screen, click About This Mac, and then click Software Update.
Potential impact
Apple says in their release that they’re “aware of a report that this issue may have been actively exploited.” While they don’t say exactly how, by who, or how mature the exploit is, it’s safe to say that any vulnerability that allows arbitrary code to be run on a device should be remediated as quickly as possible. A potential attacker could leverage these vulnerabilities for an array of purposes. In previous iterations, the infamous spyware tool Pegasus used memory corruption vulnerabilities in WebKit and the kernel to secretly jailbreak the iOS device and install the surveillance software. It’s unclear whether or not these vulnerabilities have been used in newer versions of Pegasus, but one starts to wonder how and where they’re being used.
TL;DR. WebKit and kernel bugs are bad. Update ASAP.
