Apple releases iOS and macOS fixes to patch a new zero-day under attack

Apple has released another round of security updates to address vulnerabilities in iOS and macOS, including a new zero-day vulnerability that attackers are actively exploiting.

The zero-day vulnerability, tracked as CVE-2022-32917, allows a malicious application to run arbitrary code on an affected device with kernel privileges, meaning full access to the device and its data, Apple said in a security advisory on Monday. . Apple has warned that it is aware that the vulnerability “may have been actively exploited” and is believed to be the eighth zero-day flaw Apple has patched since the start of the year.

Apple says it fixes bugs in updates to iOS 15.7 and iPadOS 15.7, macOS Monterey 12.6, and macOS Big Sur 11.7.

Apple has not disclosed additional information about CVE-2022-32917 or how cybercriminals are exploiting it. Apple did not respond to a request for comment.

Apple this week pushed another zero-day patch (number CVE-2022-32894) to Macs running macOS Big Sur 11.7. The company patched the same bug in older iPhones and iPads a few weeks ago, which Apple describes as a remotely exploitable WebKit zero-day that could allow attackers to execute arbitrary code on unpatched devices. In addition to those fixes, Apple released several other security updates on Monday, including a Safari vulnerability that could lead to address bar spoofing, a Maps issue that could allow attackers to read sensitive location information and potentially allow apps to bypass privacy preferences.

These security fixes were released in iOS 16, which brings several security and privacy improvements, including support for Apple Passcode and Lock Mode.