Security News > 2022 > August > Apple fixes exploited zero-days: Update your devices! (CVE-2022-32894, CVE-2022-32893)

Apple fixes exploited zero-days: Update your devices! (CVE-2022-32894, CVE-2022-32893)
2022-08-18 09:50

Apple has released security updates for iOS, iPadOS, and macOS Monterey to fix CVE-2022-32894 and CVE-2022-32893, two code execution vulnerabilities exploited by attackers in the wild.

CVE-2022-32894 is out-of-bounds write issue in the operating systems' kernel that can be exploited by a malicious application to execute arbitrary code with kernel privileges.

CVE-2022-32893 is out-of-bounds write issue in WebKit - Apple's browser engine that powers its Safari web browser and all iOS web browsers - that can be triggered by the processing of maliciously crafted web content.

As per usual, Apple did not share details about the attacks that leverage the two zero-days, but it's likely that the flaws are being exploited for targeted attacks.

MacOS users who use Google Chrome and don't have automatic updating switched on should also make sure to update that browser, because Google has pushed out a new version that fixes - among other vulnerabilities - CVE-2022-2856, an improper input validation bug affecting Chrome Intent.

"A Chrome Intent is a mechanism for triggering apps directly from a web page, in which data on the web page is fed into an external app that's launched to process that data," noted Paul Ducklin, Principal Research Scientist at Sophos.


News URL

https://www.helpnetsecurity.com/2022/08/18/cve-2022-32894-cve-2022-32893-cve-2022-2856/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-09-26 CVE-2022-2856 Improper Input Validation vulnerability in multiple products
Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 104.0.5112.101 allowed a remote attacker to arbitrarily browse to a malicious website via a crafted HTML page.
network
low complexity
google fedoraproject CWE-20
6.5
2022-08-24 CVE-2022-32894 Out-of-bounds Write vulnerability in Apple products
An out-of-bounds write issue was addressed with improved bounds checking.
local
low complexity
apple CWE-787
7.8
2022-08-24 CVE-2022-32893 Out-of-bounds Write vulnerability in multiple products
An out-of-bounds write issue was addressed with improved bounds checking.
8.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Apple 72 238 1567 2279 265 4349