Two zero-day bugs that could allow remote code execution in Apple products that are apparently being exploited have prompted the company to release emergency security updates Wednesday.
The Cupertino, California-based tech giant yesterday released a patch for a Webkit vulnerability, CVE-2022-32893, that lets a maliciously crafted website to execute arbitrary code and could lead to the takeover of iOS devices and Macs.
As the folks at Sophos’ Naked Security blog wrote: “Simply put, a cybercriminal could implant malware on your device even if all you did was to view an otherwise innocent web page.”
The second vulnerability allows kernel code privileges that would let an attacker break out of an application and take over an entire device or computer. The kernel vulnerability, CVE-2022-32894, would give “administrative superpowers,” according to Sophos, by exploiting the Webkit vulnerability and allow an attacker to change settings; download and install apps; access almost all data, including location; and access the camera and microphone.
Both patches address an out-of-bounds write issue and are available for download.
Apple releases vulnerability fix for Safari web browser
Apple released another security update on Aug. 18 to fix the same issues affecting its Safari web browser for macOS Big Sur and Catalina.
Also on Aug. 18, the Cybersecurity and Information Security Agency released an alert on the vulnerabilities in the Apple products and is urging users and administrators to review the update and apply the patches as soon as possible.
Updated 9:25 a.m. Eastern on Friday, Aug. 19.