The first vulnerability, CVE-2022-22675, resides in macOS for Monterey and in iOS or iPadOS for most iPhone and iPad models. The flaw, which stems from an out-of-bounds write issue, gives hackers the ability to execute malicious code that runs with privileges of the kernel, the most security-sensitive region of the OS. CVE-2022-22674, meanwhile, also results from an out-of-bounds read issue that can lead to the disclosure of kernel memory.
Apple is not exactly being helpful in providing details for the flaws but that might be because it is facing an existential crisis which it does not want its fanboys to catch. It can’t do its normal “this only affects a small number of users and is not a serious threat” line as it admits that the issues have been weaponised and used.
Apple’s software genii have been having a few problems this year. CVE-2022-22674 and CVE-2022-22675 are the fourth and fifth zero-days Apple has patched this year.
In January, the company rushed out patches for iOS, iPadOS, macOS Monterey, watchOS, tvOS, and HomePod Software to fix a zero-day memory corruption flaw that could give exploiters the ability to execute code with kernel privileges.
A spreadsheet Google security researchers maintain to track zero-days shows Apple fixed a total of 12 such vulnerabilities in 2021. Among those was a flaw in iMessage that the Pegasus spyware framework was targeting using a zero-click exploit, meaning devices were infected merely by receiving a malicious message, without any user action required. Two zero-days that Apple patched in May made it possible for attackers to infect fully up-to-date devices.