Description
Apple releases security update to fix two zero-day vulnerabilities. Successful exploitation of this bug leads to arbitrary code execution with kernel privileges on compromised devices. The first zero-day is a memory corruption issue and the second is a Safari Web-kit issue!
Affected Products:
iPhone 6s and later
iPad Pro
iPad Air 2 and later
iPad 5th generation and later
iPad mini 4 and later
iPod touch (7th generation)
Notable Vulnerabilities:
CVE-2022-22584-Processing a maliciously crafted file may lead to arbitrary code execution
CVE-2022-22594-A website may be able to track sensitive user information
CVE-2022-22587-A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
CVE-2022-22579-Processing a maliciously crafted STL file may lead to unexpected application termination or arbitrary code execution
CVE-2022-22589- Processing a maliciously crafted mail message may lead to running arbitrary JavaScript
CVE-2022-22590-Processing maliciously crafted web content may lead to arbitrary code execution
CVE-2022-22592-Processing maliciously crafted web content may prevent Content Security Policy from being enforced
Recommendations
Workaround:
It is recommended to update apple devices to their latest available version.
Reference
https://securityaffairs.co/wordpress/127240/hacking/apple-fixed-two-zero-day-2022.html
