Apple emergency update fixes zero-day used to hack Macs, Watches

by | May 17, 2022 | News


Premium Content

patreon

Subscribe to Patreon to watch this episode.


 

Reading Time: 2 Minutes

Apple has released security updates to address a zero-day vulnerability that threat actors can exploit in attacks targeting Macs and Apple Watch devices.

 

 

Zero-days are security flaws that the software vendor is unaware of and hasn’t yet patched. In some cases, this type of vulnerability may also have publicly available proof-of-concept exploits before a patch arrives or may be actively exploited in the wild.

In security advisories issued on Monday, Apple revealed that they’re aware of reports this security bug “may have been actively exploited.”

The flaw is an out-of-bounds write issue (CVE-2022-22675) in the AppleAVD (a kernel extension for audio and video decoding) that allows apps to execute arbitrary code with kernel privileges.

The bug was reported by anonymous researchers and fixed by Apple in macOS Big Sur 11.6.watchOS 8.6, and tvOS 15.5 with improved bounds checking.

The list of impacted devices includes Apple Watch Series 3 or late, Macs running macOS Big Sur, Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD.

While Apple disclosed reports of active exploitation in the wild, it did not release any extra info regarding these attacks.

 

 

 

See Also: Complete Offensive Security and Ethical Hacking Course

 

 

 

Solutions

 

By withholding information, the company is likely aiming to allow the security updates to reach as many Apple Watches and Macs as possible before attackers pick up on the zero-day’s details and start deploying exploits in other attacks.

Although this zero-day was most probably only used in targeted attacks, it’s still strongly advised to install today’s macOS and watchOS security updates as soon as possible to block attack attempts.


Five zero-days patched in 2022

 

In January, Apple patched two other zero-days exploited in the wild to let attackers gain arbitrary code execution with kernel privileges (CVE-2022-22587) and track web browsing activity and user identities in real-time (CVE-2022-22594).

One month later, Apple released security updates to patch a new zero-day bug (CVE-2022-22620) exploited to hack iPhones, iPads, and Macs, which leads to OS crashes and remote code execution on compromised Apple devices.

 
 

See Also: Attackers Use Event Logs to Hide Fileless Malware

 

 

 

 

See Also: Offensive Security Tool: malicious-pdf

 

In March, two more actively exploited zero-days in the Intel Graphics Driver (CVE-2022-22674) and the AppleAVD media decoder (CVE-2022-22675), the latter also backported today in older versions of macOS, in watchOS 8.6, and in tvOS 15.5.

These five zero-days impact iPhones (iPhone 6s and up), Macs running macOS Monterey, and multiple iPad models.

Throughout last year, the company also patched a long list of zero-days exploited in the wild to target iOS, iPadOS, and macOS devices.

 

 

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

 

 

 

See Also: Write up: Find hidden and encrypted secrets from any website

 

Source: bleepingcomputer.com

Source Link

 

 

 


 

 

Merch

Share This