Several critical security bugs have been discovered in Apple’s operating systems. Potentially already used by unscrupulous hackers, these flaws fortunately benefit from a patch to be installed as soon as possible.
It’s time to update all your Apple machines. The manufacturer has just deployed new versions of iOS, iPadOS and macOS which correct several critical security flaws. Pushed to all affected machines on August 17, 2022, these updates should be installed as soon as possible given the seriousness of the bugs discovered.
Two flaws present on three different OS
The three operating systems are affected by the same flaws. A first concerns the kernel of the various OS and another key WebKit, the rendering engine of Safari. According to Apple, these flaws “could have been used” by malicious hackers and their discoveries are to be credited “from an anonymous specialist”says the company.
The machines affected are:
- Macs running macOS Monterey
- iPhones since the 6S
- iPad Pro, iPad Air (since 2), iPad (since 5th generation), iPad Mini (since 4) and iPod Touch (since 7)
No patches for older versions of macOS have been deployed, despite the fact that some of them are still receiving updates from Apple. We can therefore assume that only macOS Monterey is affected.
Seven critical patches deployed since early 2022
Both flaws allow more or less the same thing, arbitrary code execution on a machine. To put it more simply, by exploiting these flaws, it is possible to ask the target machine to do roughly what you want: create or delete files, leak information, completely immobilize the device…
In both cases, this is an out-of-bounds write flaw (or out-of-bounds for English speakers) that allows software to write beyond the limits of the intended buffer. Whether it’s the kernel or the WebKit rendering engine, the processes are supposed to be more or less isolated from the rest of the system to avoid these kinds of problems. These flaws make it possible to break these limits and infiltrate the entire OS.
The first flaw (which inherits the code name CVE-2022-32894) also affects the system kernel and therefore allows code to be executed with the highest level of privilege possible. The second (CVE-2022-32893), since it affects the web rendering engine, can be exploited by simply tricking the victim into visiting a website containing malicious code.
This is the seventh time this year that Apple has corrected flaws of this magnitude. A good way to remember that updating is crucial if you want to stay in control of your data.