## Introduction
On August 19, 2022, Apple urged its users to immediately update their macOS, iPhone, and iPad devices due to the existence of two active zero-day vulnerabilities. These vulnerabilities allowed threat actors to take over devices and execute arbitrary code. This in-depth report sheds light on the severity of the issue and the measures that users and developers should take to protect their devices.
## The Two Flaws
The patches are available for devices running iOS 15.6.1 and macOS Monterey 12.5.1 and they address two flaws that affect any Apple device that can run either iOS 15 or the Monterey version of the desktop OS.
The first flaw, a kernel bug identified as CVE-2022-32894, is present in macOS and iOS. The vulnerability allows an application to execute arbitrary code with kernel privileges. Apple has reported that there is an “out-of-bounds write issue [that] was addressed with improved bounds checking.” According to Apple, there was a report that the vulnerability might have been actively exploited.
The second flaw is a WebKit bug (tracked as CVE-2022-32893), an out-of-bounds write issue that Apple addressed with improved bounds checking. The flaw allows for processing maliciously crafted web content that can lead to code execution. Apple also reported that this flaw has been reported to be under active exploitation. WebKit is the browser engine that powers Safari and all other third-party browsers that work on iOS.
## Potential Risks
The discovery of both flaws was credited to an anonymous researcher. There is a concern that these flaws could effectively give attackers full access to devices, which might create a Pegasus-like scenario. A nation-state with access to these vulnerabilities could target individuals with spyware, similar to the one NSO group exploited by exploiting an iPhone vulnerability.
The flaws in iOS pose significant risks given the ubiquity of iPhones and users’ reliance on mobile devices in their daily lives. There is a need for users to be more aware of existing threats and maintain their guard as they would on desktop operating systems. Moreover, App developers need to add an extra layer of security controls in their technology to be less reliant on OS security for protection, given the flaws that frequently crop up.
## Recommendations
For most users, it is essential to update their devices’ software by the end of the day. However, if the threat model is elevated, such as in the case of a journalist, activist, or a user targeted by nation-states, it is urgent to update the device immediately.
The high rate of zero-day vulnerabilities uncovered in top tech vendors this year demonstrates that despite the best efforts from top-tier tech companies to address perennial security issues in their software, it remains an uphill battle. This serves as a call to action for users and developers to place a premium on device security and prioritize the adoption of proactive measures to protect themselves from potential attacks.
### Conclusion
In conclusion, the discovery of two active zero-days in Apple’s iOS and macOS highlights the importance of maintaining device security. It is recommended that users and developers remain vigilant to any potential threats and prioritize proactive measures to safeguard their devices against new threats. Failure to do so might exacerbate the exploitation of vulnerabilities by threat actors and lead to significant damages to individual users and the tech environment at large.
<< photo by charlesdeluvio >>