IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Apple releases emergency patch fixing zero-days across iOS and macOS

Flaws have been fixed on iPhones, iPads, and Macs, as well as undisclosed vulnerabilities on Apple TV and Apple Watch devices

Apple has released a set of emergency security updates for iPhone, iPad, and Mac following the discovery of two new zero-day vulnerabilities that were actively being exploited.

An anonymous researcher made Apple aware of the security issues, which are tracked as CVE-2022-22674 and CVE-2022-22675 respectively.

The first issue (CVE-2022-22674) only affects Macs, and more specifically the Intel Graphics Driver. Apple said the vulnerability involved an out-of-bounds read issue that could lead to the disclosure of kernel memory.

Apple believes the issue may have been exploited by hackers in the past and has fixed it by improving input validation, it said in an advisory.

Out-of-bounds read flaws typically allow attackers to read sensitive information from other memory locations, or cause a crash on the device.

The second vulnerability (CVE-2022-22675) affects iPhones, iPads, and Macs. A flaw in AppleAVD, an audio/video decoding framework used by Apple devices, allowed for arbitrary code to be executed with kernel privileges. The vulnerability, also believed to have been exploited in the past, was caused by an out-of-bounds write issue that Apple fixed by improving bounds checking.

Similar to out-of-bounds read issues, out-of-bounds write flaws occur when software modifies an index or performs pointer arithmetic that references a memory location outside of the buffer’s boundaries. This can lead to data corruption, a device crash, or, in this case, code execution.

Apple has released emergency patches for all affected devices on iOS (15.4.1), iPadOS (15.4.1), and macOS (12.3.1). These include iPhone 6 models and newer, all iPad Pro models, iPad Air 2 and newer, iPad 5th generation and newer, iPad mini4 and newer, and iPod Touch 7th generation.

Importantly, the security patch for Macs seems to only be available on macOS Monterey, which means devices will need to be updated to the latest version of the operating system.

Security fixes for Apple TV (tvOS 15.4.1) and Apple Watch (watchOS 8.5.1) were also released in new updates, but Apple has not yet supplied any information for these or assigned CVE tracking codes.

A year full of zero-days

The latest round of emergency patches from Apple addresses the fourth and fifth zero-day vulnerabilities affecting devices in the company’s device ecosystem this year.

An array of security issues, including two zero-days, were patched in January that all involved code execution flaws, some with kernel privileges too, similar to CVE-2022-22675.

Around two weeks later, Apple was forced to issue another emergency patch for a critical WebKit flaw. WebKit is the engine that powers the Safari browser and the code execution flaw also had evidence of previous active exploitation.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Apple "completely redesigns" IT certifications, introduces two new exams
Careers & training

Apple "completely redesigns" IT certifications, introduces two new exams

19 May 2022
Apple executive rejoins Google over remote work policy
flexible working

Apple executive rejoins Google over remote work policy

18 May 2022
The Total Economic Impact™ of Apple Mac in Enterprise: M1 update
Whitepaper

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update

12 May 2022
Three lessons the iPod can teach us about disruption
Technology

Three lessons the iPod can teach us about disruption

11 May 2022

Most Popular

Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022