"Apple Patches New macOS, iOS Zero-Days"

Apple recently rolled out emergency patches for a pair of already exploited zero-day vulnerabilities in its flagship macOS and iOS platforms.  Apple confirmed in-the-wild exploitation of the vulnerabilities in separate advisories warning about code execution flaws in fully patched iPhone, iPad, and macOS devices.  One vulnerability fixed is CVE-2022-32894.  Apple stated that an application might be able to execute arbitrary code with kernel privileges.  An out-of-bounds write issue was addressed with improved bounds checking.  Apple is aware of a report that this issue may have been actively exploited.  The other vulnerability fixed is CVE-2022-32893.  Apple stated that processing maliciously crafted web content might lead to arbitrary code execution.  An out-of-bounds write issue was addressed with improved bounds checking.  Apple is aware of a report that this issue may have been actively exploited as well.  The patches are being pushed to Apple’s auto-update mechanism (macOS Monterey 12.5.1, iOS 15.6.1, and iPadOS 15.6.1).  Apple did not release details on the live exploitation or any indicators of compromise to help defenders look for signs of infections.  So far this year, zero-day trackers have documented 27 in-the-wild attacks against widely deployed desktop and mobile software products.  Most of the zero-day attacks aim at defective code from Apple, Google, and Microsoft.

SecurityWeek reports: "Apple Patches New macOS, iOS Zero-Days"