Apple patches zero-day on older iPhones and iPads.
Apple has issued fresh security upgrades to backport fixes announced earlier this week to older iPhones and iPads. These updates address a zero-day problem that is currently being exploited.
On Monday, October 24, Apple released a patch to address the vulnerability known as CVE-2022-42827, which was found in iPhone and iPad devices. If it is successfully exploited in an attack, potential attackers might use it to run arbitrary code with the privileges of the kernel.
The out-of-bounds write issue was brought to Apple's attention by a researcher who wished to remain nameless. This problem arises as a result of software having the ability to write data beyond the limits of the memory buffer.
This may lead to data corruption, application crashes, and code execution owing to undefined or unexpected outcomes (also known as memory corruption) from subsequent data sent to the buffer. Additionally, this can cause memory corruption.
Today, Apple released iOS 15.7.1 and iPadOS 15.7.1, which include better bounds checking as their response to the zero-day issue.
The list of affected devices includes iPhones starting with the 6s and later models, iPad Pro in all of its iterations, iPad Air 2 and later models, iPad 5th generation and later models, iPad mini 4 and later versions, and iPod touches (7th generation).
Apply the latest patches to your older devices to prevent attacks.
Apple said that the security issue "may have been actively exploited" in the wild, although the company has not yet made any information on these assaults public.
Even though it is very probable that this zero-day vulnerability was only exploited in targeted attacks, it is strongly recommended that even older devices be patched as soon as possible in order to thwart any prospective attack efforts.
On October 25, CISA added this zero-day to its inventory of known exploited vulnerabilities. This mandates that all agencies under the Federal Civilian Executive Branch (FCEB) apply a fix to their systems in order to safeguard "against active threats."
Since the beginning of this year, Apple has corrected nine zero-day vulnerabilities, including this one:
Apple patched a vulnerability in the iOS Kernel in the month of September (CVE-2022-32917).
It patched two further zero-day vulnerabilities in the iOS Kernel (CVE-2022-32894) and WebKit in the month of August (CVE-2022-32893)
Apple fixed two zero-day vulnerabilities in the Intel Graphics Driver (CVE-2022-22674) and AppleAVD in the month of March (CVE-2022-22675).
In February, Apple issued security upgrades in order to address another zero-day weakness in WebKit that may be exploited in order to attack iPhones, iPads, and Macs.
Apple released security updates in January to fix two further zero-day vulnerabilities that allowed code execution with kernel privileges (CVE-2022-22587) and tracked users' online surfing habits (CVE-2022-22594).