A new zero-day vulnerability that is currently being actively exploited by attackers is among the security flaws in iOS and macOS that have been fixed by Apple in a fresh wave of security upgrades.
Apple said in a security advisory that the zero-day vulnerability, identified as CVE-2022-32917, allows a malicious app to run arbitrary code on an afflicted device with kernel privileges, giving it full access to the device and its data. According to reports, this is Apple’s sixth zero-day vulnerability that has been fixed since the year’s beginning, and the company cautioned that it is aware that it “may have been actively exploited.”
According to Apple, updates for iOS 15.7, iPadOS 15.7, macOS Monterey 12.6 and macOS Big Sur 11.7, according to Apple, fixed the bug.
Apple hasn’t provided any additional details on CVE-2022-32917 or how thieves are using it. A request for comment from Apple was ignored.
For Macs running macOS Big Sur 11.7, Apple this week backported a patch for yet another exploitable zero-day, identified as CVE-2022-32894. The same vulnerability, which Apple describes as a remotely exploitable WebKit zero-day that might allow attackers to execute arbitrary code on unpatched devices, was fixed in older iPhones and iPads a few weeks prior.
Apple also patched a number of additional security holes, including one in Safari that might allow address bar spoofing, one in Maps that may allow a hacker to see private location data, and one in Contacts that could allow apps to override privacy settings.
Along with iOS 16, which includes support for Apple Passkeys and Lockdown Mode among other security and privacy improvements, the security fixes were also made available.