Apple drops iOS and iPadOS 15.6.1 to fix two exploited zero days

Two new zero-days, or bugs that are being exploited prior to fixes being issued, have been discovered in Apple's iOS and iPadOS mobile operating systems.

One affects the iOS/iPadOS kernel and allows applications to run arbitrary code with the highest system privileges.

The bug has been given the Common Vulnerabilities and Exposures index CVE-2022-3284.

A second flaw, CVE-2022-32893, affects the WebKit rendering engine which is used in Apple's Safari browser and iOS/iPadOS apps that display HTML content.

Attackers can abuse the WebKit flaw with maliciously crafted web content to execute arbitrary code.

Both issues were caused by out of bounds write bugs, allowing attackers to inject data before the beginning, or after, a buffer in memory.

Apple said it is aware of both vulnerabilities being exploited, but provided no further details.

There were also patches for two Safari bugs: CVE-2022-32784 was an information leak in Safari Extensions exploitable by a malicious website, while CVE-2022-2294 offered arbitrary code execution via WebRTC.