Emergency patches out for exploited Apple zero-days

Apple has issued out-of-band patches for security vulnerabilities in its operating systems that the company says have been actively exploited, or so-called zero-days.

The company's macOS Monterey desktop operating system is incremented to 12.3.1 with fixes for a memory corruption issue affecting the AppleAVD media file decoder.

By abusing an out-of-bounds memory write bug, attackers' applications could run arbitrary code with kernel privileges, Apple said in its advisory.

Apple's iOS 15.4.1 and iPadOS 15.4.1 updates for its mobile operating systems also take care of the AppleAVD vulnerability, along with the company's tvOS 15.4.1, and watchOS 8.5.1. Curiously, for tvOS and watchOS, the advisory page stated: "This update has no published CVE entries."

An out-of-bounds memory read flaw in Apple's Intel graphics driver for macOS Montery is also fixed in today's update.

The bug could expose sensitive information used by the operating system kernel.

Apple says both flaws may have been actively exploited but provided no further details as to where and when the attacks took place.

This is the second set of emergency patches over the last two weeks, following a large, unexpected update on March 15 that handled multiple critical flaws, including in the AppleAVD component.