Apple is urging iPhone, iPad and Mac users to upgrade their devices immediately, to guard against two security vulnerabilities that attackers could use to seize control of their devices.
The company issued two security reports about the issues last week. In both instances, Apple said it was aware of reports suggesting that hackers may have actively exploited the vulnerabilities in question.
One of the software bugs, tracked as CVE-2022-32894, affects the kernel, the deepest layer of the operating system, which is common in all devices.
A malicious application that takes leverages this flaw may be able to run arbitrary code with kernel privileges. Attackers could use this to achieve admin control of the target device. Apple described the flaw as an out-of-bounds write issue that was fixed with improved bounds checking.
The second flaw, tracked as CVE-2022-32893, affects WebKit, the engine that powers the Safari web browser. If a user accesses ‘maliciously-crafted web content,’ this out-of-bounds write vulnerability could lead to arbitrary code execution. Again, Apple used improved bounds checking to fix the issue.
The bugs are thought to be related and affect iOS, iPadOS and macOS Monterey.
New updates – iOS 15.6.1 and iPadOS 15.6.1 – are available for the iPhone 6s and later; iPad Pro (all models); iPad Air 2 and later; iPad 5th generation and later; iPad mini 4 and later; and iPod touch (7th generation).
Meanwhile, Mac owners using macOS Monterey should upgrade to Monterey 12.5.1.
Although Apple says it is ‘aware of reports’ of the vulnerabilities being exploited, there have been no confirmed attacks yet. Still, security experts say people in the public spotlight – like activists or journalists, who may be the targets of sophisticated nation-state spying – should pay special attention to upgrading their software.
iPhone and iPad users can get the update by navigating to the ‘Settings’ section of their device and selecting ‘Software Update’. They will see the option to download and install 15.6.1.
It is not the first time that Apple has discovered security vulnerabilities impacting Webkit. Last year, it released an urgent security patch to address a zero‑day bug under active attack in Webkit; and in January 2020, the company addressed three zero-day bugs affecting WebKit and a separate one affecting the iOS kernel.
Earlier this year, security researchers shared details of a bug in Safari that attackers could use to steal information about a users’ recent browsing history, and even some details of their logged-in accounts.