Apple on Monday fixed a high-risk vulnerability that gives attackers the ability to execute malicious code running with the highest privileges inside the operating system kernel for fully updated iPhones and iPads.
in AdvisorWhile tracking the vulnerability, Apple said that CVE-2022-42827 “may have been actively exploited,” using a phrase used in the industry to indicate that a previously unknown vulnerability is being exploited. The memory corruption defect is the result of “write out of bounds”, which means that Apple software was putting in code or data outside a buffer zone protected. Hackers often exploit such vulnerabilities so that they can funnel malicious code into sensitive areas of the operating system and then cause its execution.
Apple said the vulnerability was reported by an “anonymous researcher,” without elaborating.
this is A spreadsheet maintained by Google researchers Show that Apple has set seven zero days so far this year, excluding CVE-2022-42827. Counting the latter would bring Apple’s zero-day total for 2022 to eight. However, Bleeping Computer said CVE-2022-42827 is from Apple the ninth zero day It was fixed in the last 10 months.
Zero days are vulnerabilities that are discovered and either actively leaked or exploited before the responsible vendor has a chance to release a patch to fix the bug. A single zero-day often sells for a million dollars or more. To protect their investment, attackers with zero-day access typically operate in nation states or other organizations with deep pockets and exploit vulnerabilities in highly targeted campaigns. Once the seller recognizes the zero day, it is usually quickly corrected, causing the exploitation value to decline.
The economy makes it unlikely that most people will be targeted by this vulnerability. Now that a patch is available, other attackers will have the opportunity to reverse engineer it to create their own vulnerabilities to use against unpatched devices. Affected users—including those using iPhone 8 and later, iPad Pro, iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later—must ensure that they are running iOS 16.1 or iPadOS 16.
Along with CVE-2022-42827, the updates fix 19 other vulnerabilities, including two in the kernel, three in the Point-to-Point protocol, two in WebKit, and one in AppleMobileFileIntegrity, Core Bluetooth, IOKit, and a sandbox iOS this.
“Alcohol maven. Evil bacon lover. Wannabe social media geek. Travel guru. Amateur introvert. Pop culture nerd.”