"Apple Patches Remote Code Execution Flaws in iOS, macOS"

Apple recently released out-of-band patches for iOS and macOS to address two arbitrary code execution vulnerabilities in the libxml2 library.  Written in the C programming language and originally developed for the Gnome project, libxml2 is a software library for parsing XML documents.  Apple stated the two vulnerabilities, tracked as CVE-2022-40303 and CVE-2022-40304, could lead to remote code execution.  Apple has credited Google Project Zero security researchers for discovering both issues.  Apple noted that a remote user may be able to cause unexpected app termination or arbitrary code execution for both security flaws.  According to Apple, the first of the flaws exists because the lack of specific limitations could lead to integer overflows.  Apple noted that improved input validation resolved the issue.  In the case of the second vulnerability, in specific conditions, memory errors such as double-free bugs could emerge.  Apple says that improved checks fixed the defect.  Apple addressed the flaws with the release of macOS Ventura 13.0.1 and iOS 16.1.1, and iPadOS 16.1.1 (for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th gen and later, and iPad mini 5th gen and later).  Apple did not mention if the vulnerabilities were actively being exploited in attacks.  However, proof-of-concept (PoC) code targeting CVE-2022-40303, as well as full technical details on CVE-2022-40304 have been published online, which explains why Apple rushed the fixes.

SecurityWeek reports: "Apple Patches Remote Code Execution Flaws in iOS, macOS"