About the vulnerabilities (CVE-2022-32894, CVE-2022-32893)
CVE-2022-32894 is out-of-bounds write issue in the operating systems’ kernel that can be exploited by a malicious application to execute arbitrary code with kernel privileges (and take control over the entire system).
CVE-2022-32893 is out-of-bounds write issue in WebKit – Apple’s browser engine that powers its Safari web browser and all iOS web browsers – that can be triggered by the processing of maliciously crafted web content. It, as well, can lead to arbitrary code execution.
Both were reported by an anonymous researcher.
As per usual, Apple did not share details about the attacks that leverage the two zero-days, but it’s likely that the flaws are being exploited for targeted attacks.
Nevertheless, all users should implement the updates as soon as possible, by upgrading to:
- iOS 15.6.1
- iPadOS 15.6.
- macOS 12.5.1 (updates for other supported macOS versions will likely follow at a later date)
Also fixed: A Chrome zero-day (CVE-2022-2856)
MacOS users who use Google Chrome and don’t have automatic updating switched on should also make sure to update that browser, because Google has pushed out a new version that fixes – among other vulnerabilities – CVE-2022-2856, an improper input validation bug affecting Chrome Intent.
Google says that the zero-day has been flagged by Ashley Shen and Christian Resell of Google Threat Analysis Group, and that it “is aware that an exploit for CVE-2022-2856 exists in the wild.”
“A Chrome Intent is a mechanism for triggering apps directly from a web page, in which data on the web page is fed into an external app that’s launched to process that data,” noted Paul Ducklin, Principal Research Scientist at Sophos.
“Google hasn’t provided any details of which apps, or what sort of data, could be maliciously manipulated by this bug (…) but the danger seems rather obvious if the known exploit involves silently feeding a local app with the sort of risky data that would normally be blocked on security grounds.”
Aside from a new version of Chrome for Mac, Google has also released new versions for Windows and Linux that fix the same vulnerabilities, and they will all be rolled out over the coming days/weeks.
UPDATE (August 19, 2022, 05:58 a.m. ET):
The WebKit flaw has been separately fixed in Safari 15.6.1.
UPDATE (September 1, 2022, 05:15 a.m. ET):
Apple has backported the patch for CVE-2022-32893 to iOS 12.5.6, and says that iOS 12 is not impacted by CVE-2022-32894.