Apple Rushes Out Patches for 0-Days in MacOS, iOS

The vulnerabilities could allow threat actors to disrupt or access kernel activity and may be under active exploit.

Apple rushed out patches for two zero-days affecting macOS and iOS Thursday, both of which are likely under active exploitation and could allow a threat actor to disrupt or access kernel activity.

Apple released separate security updates for the bugs – a vulnerability affecting both macOS and iOS tracked as CVE-2022-22675 and a macOS flaw tracked as CVE-2022-22674. Their discovery was attributed to an anonymous researcher.

CVE-2022-22675 – found in the AppleAVD component present in both macOS and iOS – could allow an application to execute arbitrary code with kernel privileges, according to the advisory.

“An out-of-bounds write issue was addressed with improved bounds checking,” according to the advisory. “Apple is aware of a report that this issue may have been actively exploited.”

CVE-2022-22674 is described in the advisory as an “out-of-bounds read issue” in the Intel Graphics Driver of macOS that could allow an application to read kernel memory. Apple addressed the bug – which also may have been actively exploited – with improved input validation, the company said.

As is typical, Apple didn’t disclose more specifics

Read More: https://threatpost.com/apple-rushes-out-patches-0-days-macos-ios/179222/