Apple fixes zero-day vulnerabilities already used in attacks

Apple fixes exploited zero-day bugs with the Safari 15.6.1 release

Zero-day vulnerabilities addressed again

Apple provided the security update for the macOS Big Sur and Catalina to fix the zero-day vulnerabilities exploited in the wild. These bugs got used to hacking mac devices and now get patches.^[1] CVE-2022-32893 flaw is the out-of-bounds write issue in WebKit that could allow the threat actor to execute commands remotely on the vulnerable device. The bug allows to process the of maliciously crafted web content, and attackers can execute any wanted code. Apple released the bulletin and informed users about the issue that possibly has already been exploited.^[2]

This out-of-bounds^[3] bug is the flaw creating an issue when the attacker can supply input to a program that causes the writing of the data past the end or before the beginning of a memory buffer. The program then crashes, data gets corrupted, and remote code can get executed. Apple states that the fix is available for the bug due to the improvement of bounds checking.

The company addresses that the vulnerability was disclosed to Apple by the researcher, who remains anonymous. When this happened, it was not disclosed. However, the news comes after other incidents with zero-day vulnerabilities that have been addressed this week. This same flaw was patched by Apple for macOS Monterey and iPhone/iPads.^[4]

The seventh zero-day fixed by Apple this year

This zero-day vulnerability is addressed, but Apple does not provide details on how the flaw was used in the attacks, but they state that it has been actively exploited before this patching. This year was big on the zero-days for Apple, however. The company has patched six other vulnerabilities this year.

• In January, Apple addressed actively exploited flaws that allowed the attacker to execute code with kernel privileges and track web browsing activities. These two are CVE-2022-22587 and CVE-2022-22594.^[5]
• In February, security updates were released to fix a new zero-day bug exploited to hack iPhones, iPads, and Mac devices.
• In March, two zero-day vulnerabilities got patched by Apple. These were used in the Intel Graphics Driver and AppleAVD. These flaws are tracked as CVE-2022-22674 and CVE-2022-22675.

The misconception that Apple devices cannot be hacked or infected

People to this day believe that Apple devices are immune to cyber threats and that machines cannot even be hacked. However, Apple iPhones and other machines can be hacked and infected with spyware even when people do not click on any links and pop-up ads that can be malicious or just rogue and related to shady sponsored content.

Apple devices can be compromised, and their sensitive data might be stolen via hacking software that is not requiring interaction with any content. There are various reports that iPhones belonging to journalists and hum rights activities have already been infected with malware from hacker groups like the NSO gang named Pegasus.

These targeted attacks are very sophisticated and cost millions of dollars to develop. Often these hackers use their products and campaigns to target specific individuals and organizations. Avoiding clicking on phishing links in messages may not protect the iPhone users enough because hackers have more advanced methods and develop particular malware like this that do not need to get click on malicious links in messages to make the execution of spyware.

Updating the Apple software can help to fix these issues with exploitable vulnerabilities and help avoid dealing with malware issues. Always keep the machine and program up to date.