Apple has released updates for its mobile and desktop operating systems to patch security holes that may well have been exploited in the wild.
The Monterey release closes CVE-2022-22675, an out-of-bounds write flaw reported by an anonymous researcher, in the driver-level AppleAVD audio-video decoder. This can be abused by an application to run code at the kernel level, meaning a rogue app or user can gain powerful privileges and completely take over the machine.
Apple said it “is aware of a report that this issue may have been actively exploited.” The bug was fixed by applying improved memory bounds checking.
Rust in peace: Memory bugs in C and C++ code cause security issues so Microsoft is considering alternatives once again
The Monterey update also patches CVE-2022-22674, an out-of-bounds read flaw again reported by an unnamed researcher, in the OS’s Intel graphics driver. This can be exploited by a rogue app or user to access kernel memory that should be out of reach, and thus steal any secrets hidden in there, such as keys and credentials.
Again, Apple said it is aware of a report that this flaw has been actively exploited. This bug was squashed by performing better user input validation.
The iOS and iPadOS releases address the same AppleAVD flaw, meaning malicious phone and tablet apps can exploit the bug to hijack devices. There were, curiously, no advisories for the tvOS and watchOS security releases because each “update has no published CVE entries,” according to Apple.
Users should apply these updates as soon as they can, if they’ve not already been automatically installed. The macOS vulnerabilities are present in at least Macs running Monterey. The iOS update is available for the iPhone 6s and later, all models of the iPad Pro, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).