Security News > 2022 > August > Apple patches double zero-day in browser and kernel – update now!

Apple patches double zero-day in browser and kernel – update now!
2022-08-18 19:33

Apple just pushed out an emergency update for two zero-day bugs that are apparently actively being exploited.

There's a remote code execution hole dubbed CVE-20220-32893 in Apple's browser and HTML rendering software, by means of which a booby trapped web page can trick iPhones, iPads and Macs into running unauthorised and untrusted software code.

There's also a kernel code execution hole dubbed CVE-2022-32894, by which an attacker who has already gained a basic foothold on your Apple device by exploiting the abovementioned WebKit bug.

Could jump from controlling just a single app on your device to taking over the operating system kernel itself, thus acquiring the sort of "Admininstrative superpowers" normally reserved for Apple itself.

Apple hasn't said how these bugs were found, hasn't said where in the world they've been exploited, and hasn't said who's using them or for what purpose.

At the time of writing, Apple has published advisories for iPad OS 15 and iOS 15, which both get updated version numbers of 15.6.1, and for macOS Monterey 12, which gets an updated version number of 12.5.2.


News URL

https://nakedsecurity.sophos.com/2022/08/18/apple-patches-double-zero-day-in-browser-and-kernel-update-now/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-08-24 CVE-2022-32894 Out-of-bounds Write vulnerability in Apple products
An out-of-bounds write issue was addressed with improved bounds checking.
local
low complexity
apple CWE-787
7.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Apple 72 238 1567 2279 265 4349
Kernel 3 0 7 4 1 12