Apple on Monday patched a very serious zero-day vulnerability that allows attackers to remotely execute malicious code that runs with the highest privileges in the operating system kernel of fully up-to-date iPhones and iPads.
In an advisory, Apple said that as the vulnerability is being tracked, CVE-2022-42827 “may have been actively exploited,” using a term that is industry jargon to indicate that a previously unknown vulnerability is being exploited. The memory corruption error is the result of an “out-of-bounds write”, meaning Apple software placed code or data outside of a protected buffer. Hackers often exploit such vulnerabilities so that they can route malicious code to sensitive areas of an operating system and execute it.
The vulnerability was reported by an “anonymous researcher,” Apple said, without elaborating.
This spreadsheet maintained by Google researchers showed that Apple has solved seven zero-days so far this year, not counting CVE-2022-42827. Counting the latter would bring that Apple zero-day total for 2022 to eight. However, Bleeping Computer said that CVE-2022-42827 is Apple’s ninth zero-day fix in the past 10 months.
Zero-days are vulnerabilities that are discovered and actively leaked or exploited before the responsible vendor has had a chance to release a patch that fixes the flaw. A single zero day often sells for $1 million or more. To protect their investment, attackers accessing zero-days typically work for nation-states or other organizations with deep pockets and exploit the vulnerabilities in highly targeted campaigns. Once the vendor learns of the zero-days, they are usually patched quickly, greatly reducing the value of the exploit.
The economy makes it highly unlikely that most people are the target of this vulnerability. However, now that a patch is available, other attackers have the opportunity to reverse engineer it to create their own exploits for use against unpatched devices. Affected users, including users of iPhone 8 and later, iPad Pros, iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later, should ensure that they are running iOS 16.1 or iPadOS 16.
In addition to CVE-2022-42827, the updates fix 19 other vulnerabilities, including two in the kernel, three in Point-to-Point Protocol, two in WebKit, and one in AppleMobileFileIntegrity, Core Bluetooth, IOKit, and this iOS sandbox.