Apple on Monday patched a high-severity zero-day vulnerability that gives attackers the ability to remotely execute malicious code that runs with the highest privileges inside the operating system kernel of fully up-to-date iPhones and iPads.
In an advisory, Apple said that CVE-2022-42827, as the vulnerability is tracked, “may have been actively exploited,” using a phrase that’s industry jargon for indicating a previously unknown vulnerability is being exploited. The memory corruption flaw is the result of an “out-of-bounds write,” meaning Apple software was placing code or data outside a protected buffer. Hackers often exploit such vulnerabilities so they can funnel malicious code into sensitive regions of an OS and then cause it to execute.
The vulnerability was reported by an “anonymous researcher,” Apple said, without elaborating.
This spreadsheet maintained by Google researchers showed that Apple fixed seven zero-days so far this year, not including CVE-2022-42827. Counting this latest one would bring that Apple zero-day total for 2022 to eight. Bleeping Computer, however, said CVE-2022-42827 is Apple’s ninth zero-day fixed in the last 10 months.
Zero-days are vulnerabilities that are discovered and either actively leaked or exploited before the responsible vendor has had a chance to release a patch fixing the flaw. A single zero-day often sells for $1 million or more. To protect their investment, attackers who have access to zero-days typically work for nation-states or other organizations with deep pockets and exploit the vulnerabilities in highly targeted campaigns. Once the vendor learns of the zero-day, they are usually patched quickly, causing the value of the exploit to plummet.
The economics make it highly unlikely that most people have been targeted by this vulnerability. Now that a patch is available, however, other attackers will have the opportunity to reverse-engineer it to create their own exploits for use against unpatched devices. Affected users—including those using iPhone 8 and later, iPad Pros, iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later—should ensure they’re running iOS 16.1 or iPadOS 16.
Besides CVE-2022-42827, the updates fix 19 other security vulnerabilities, including two in the kernel, three in Point-to-Point Protocol, two in WebKit, and one each in AppleMobileFileIntegrity, Core Bluetooth, IOKit, and this iOS sandbox.