Apple patches exploited iOS and macOS zero-day

Apple has issued security patches for iOS and iPadOS 15.3, and for macOS Monterey 12.2, to plug a vulnerability that the company said is being exploited in the wild.

The vulnerability, indexed as CVE-2022-22587, was reported to Apple independently by an anonymous researcher, Siddharth Aeri and Meysam Firouzi.

Firouzi, who works at the Mercedes-Benz Innovation Lab on car security, told iTnews that he came across the vulnerability by fuzzing the kernel and doing static analysis.

Apple's security advisory said the bug is due to a memory corruption issue in iOS and macOS.

A malicious application abusing the flaw could execute arbitrary code with high kernel privileges.

Proof-of-concept code for the zero-day has been published by Firouzi and Aeri.

Firouzi explained that the vulnerability he discovered would be part of an exploit chain.

An attacker would need to get remote code execution via NSO Group's PDF exploit, and "then use my vulnerability to get more access to the device," Firouzi said.

The security researcher reported the vulnerability through Trend Micro's Zero Day Initative three months ago, but did not receive a response.

"They didn't answer me for like two months, so I decided to report [the vulnerability] to Apple directly," Firouzi said.

Firouzi said his work on Apple-related security is a hobby.

Apple's set of security updates address several serious vulnerabilities, many of which can be used to execute arbitrary code with high level privileges.

The Safari WebKit bug that allowed cross-origin tracking of users' browsing on the internet has also been patched by Apple, with improved input validation for the IndexedDB application programming interface storage component.