Two critical zero-day vulnerabilities in the internals of the OSes the devices run on were fixed by Apple on Thursday.
An anonymous researcher discovered both vulnerabilities. The first vulnerability is located in macOS for Monterey and in iPadOS for most iPad models. A flaw in the write process gives hackers the ability to execute malicious code that runs with privileges in the most security-sensitive region of the OS. The out-of-bounds read issue is related to the disclosure of kernels memory.
The company wrote of both vulnerabilities, and disclosed bare-bones details for the flaws here and here.
AdvertisementApple has patched four zero-days this year. In January, the company rushed out patches to fix a zero-day memory corruption flaw that could give exploiters the ability to execute code. The IOMobileFrameBuffer is where the bug resided. It was possible for websites to track sensitive user information because of a separate vulnerability. The exploit code was made public before the patch was issued.
A bug in the Webkit browser engine gave attackers the ability to run malicious code on the iTouch and the iPhones, and Apple pushed out a fix in February. The vulnerability may have been actively exploited according to reports Apple received.
A spreadsheet Google security researchers maintain to track zero-days shows Apple fixed a total of 12 such vulnerabilities in 2021. Among those was a flaw in iMessage that the Pegasus spyware framework was targeting using a zero-click exploit, meaning devices were infected merely by receiving a malicious message, without any user action required. Two zero-days that Apple patched in May made it possible for attackers to infect fully up-to-date devices.
All Rights Reserved © 2024
