Apple fixed the first two zero-day vulnerabilities of 2022

Apple released security updates to fix two zero-day flaws, one of them actively exploited to hack iPhones and Macs.

Apple has released security updates to address a couple of zero-day vulnerabilities, one of them being actively exploited in the wild by threat actors to compromise iPhone and Mac devices.

One of the zero-day flaws addressed by the IT giant, tracked as CVE-2022-22587, is a memory corruption issue that resides in the IOMobileFrameBuffer and affects iOS, iPadOS, and macOS Monterey.

The exploitation of this flaw leads to arbitrary code execution with kernel privileges on compromised devices.

“A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.” reads the security advisory published by Apple.

The company addressed the flaw by improving input validation. The vulnerability impacts iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).The complete list of impacted devices includes:

Apple acknowledged an anonymous researcher, Meysam Firouzi (@R00tkitSMM) of MBition – Mercedes-Benz Innovation Lab, and Siddharth Aeri (@b1n4r1b01) for having reported this flaw.

“actively exploited” – Achievement Unlocked Btw I already posted the poc for this one on 1st January pic.twitter.com/3nmEvgnyPZ— binaryboy (@b1n4r1b01) January 26, 2022
My first 2022 CVE is iOS kernel arbitrary code execution in IOMobileFrameBuffer. https://t.co/WnE7dQ9RyJ— Meysam Firouzi (@R00tkitSMM) January 26, 2022The second zero-day vulnerability, tracked as CVE-2022-22594, is a Safari WebKit issue that impacts iOS and iPadOS. Due to this flaw, a website could track user browsing activity and identities in real-time.

“A cross-origin issue in the IndexDB API was addressed with improved input validation.” reads the advisory. “A website may be able to track sensitive user information”

This vulnerability impacts iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

The bug was first reported to Apple by Martin Bajanik of FingerprintJS on November 28th and apple addressed it with the release of iOS 15.3 and iPadOS 15.3 security update.

Follow me on Twitter: @securityaffairs and Facebook

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}
Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

The post Apple fixed the first two zero-day vulnerabilities of 2022 appeared first on Security Affairs.