Apple has released updates for its mobile and desktop operating systems to fix security flaws that may well have been exploited in the wild.
On Thursday, the iPhone giant released macOS Monterey 12.3.1; iOS 15.4.1 and iPadOS 15.4.1; tvOS 15.4.1; and watchOS 8.5.1 to fix vulnerabilities in its software.
The Monterey release closes CVE-2022-22675, an out-of-bounds write flaw reported by an anonymous researcher, in the driver-level AppleAVD audio-video decoder. This can be abused by an application to execute kernel-level code, which means a malicious application or user can gain powerful privileges and completely take control of the machine.
Apple said it “is aware of a report that this issue may have been actively exploited.” The bug was fixed by applying an improved memory limit check.
Rust in peace: Memory bugs in C and C++ code cause security issues, so Microsoft is once again considering alternatives
The Monterey update also fixes CVE-2022-22674, an out-of-bounds read flaw again reported by an anonymous researcher, in the operating system’s Intel graphics driver. This can be exploited by a malicious application or user to gain access to kernel memory that should be out of reach, and thus steal any secrets hidden there, such as keys and credentials.
Again, Apple said it is aware of a report that this flaw has been actively exploited. This bug has been eliminated by performing better validation of user input.
The iOS and iPadOS versions patch the same AppleAVD flaw, which means malicious apps for phones and tablets can exploit the bug to hijack devices. There were, oddly, no advisories for the security versions of tvOS and watchOS because each “update has no published CVE entries”, according to Apple.
Users should apply these updates as soon as they can, if they have not already been automatically installed. The macOS vulnerabilities are present in at least Macs running Monterey. The iOS update is available for iPhone 6s and later, all iPad Pro models, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation ).
We note that Apple, so far this year, has fixed a bunch of wildly exploited bugs in its products in January and February. ®