Apple fixes array of iOS, macOS zero-days and code execution security flaws

Apple has patched an array of security issues affecting iOS, iPadOS, and macOS devices, including two zero-day vulnerabilities.

Among the other myriad fixes for iOS and iPadOS 15.3, and macOS Monterrey 12.2 released on Wednesday were code execution flaws and some that allowed arbitrary code to run on affected devices with kernel privileges.

The first of the two critical flaws, tracked as CVE-2022-22587, involves an issue with the IOMobileFrameBuffer, a kernel extension responsible for managing a device's framebuffer - a portion of RAM that drives the video display. It's believed to have affected the iPhone 6s and later, all iPad Pro models, iPad Air 2 and later, and other devices in the ecosystem too.

Apple said a malicious application could exploit a flaw in this extension to execute arbitrary code with kernel privileges. Apple also said it previously knew about the security issue and that it believes it may have already been actively exploited in the wild. It was a memory corruption issue Apple fixed with improved input validation.

The bug was discovered by Meysam Firouzi of MBition - Mercedes-Benz Innovation Lab, and independent researcher Siddharth Aeri. A third, anonymous researchers was also thought to be involved.

Aeri published a proof-of-concept (PoC) for the security issue on 31 December 2021 and noted on their Twitter page that the bug was demonstrated by Pangu Team at Tianfucup 2021, a hacking competition similar to Zero Day Initiative's Pwn2Own.

The second zero-day flaw was found in Apple's WebKit browser engine and affects Safari 15 on macOS, and all browsers on iOS and iPadOS 15, as IT Pro previously reported.

Martin Bajanik of FingerprintJS first discovered the bug on 28 November 2021 and made it publicly available on 14 January, before Apple assigned it CVE-2022-22594 and patched it in Wednesday's slew of updates.

Exploiting the bug would see websites able to track sensitive user information and stemmed from a cross-origin issue in the IndexDB API. Apple fixed it using the same method as the first zero-day, by improving the input validation.

When he made the public disclosure earlier this month, Bajanik labelled the flaw a privacy violation. "It lets arbitrary websites learn what websites the user visits in different tabs or windows," said Bajanik who authored FingerprintJS' analysis of the bug. "This is possible because database names are typically unique and website-specific."

A total of five arbitrary code execution issues were found to affect iOS 15.3 and iPadOS 15.3, and seven affected macOS Monterrey 12.2. Four of the vulnerabilities in macOS also affected iPhones and iPads, meaning there was a single vulnerability exclusive to iOS 15.3 and iPadOS 15.3, three exclusive to macOS, and four shared across the operating systems of Apple's popular iPhones, iPads, and Mac computers.

Apple's zero-day-ridden 2021

The latest wave of patches marks Apple's first release of fixes this year and the company was forced to patch a score of zero-day and other critical vulnerabilities throughout 2021, including the infamous ForcedEntry exploit used to enable NSO Group's Pegasus spyware.

Arbitrary code execution zero-days in WebKit were also found in May 2021 affecting Safari, all third-party iOS browsers, Apple Mail, and the App Store too. An additional emergency patch was also released a month later to fix more WebKit flaws in iOS 12 which could lead to remote code execution attacks.

May 2021 was a particularly troubled period for the company, the products from which were once said to not even need antivirus protection. Another significant number of vulnerabilities were fixed at the end of May across iOS, macOS, tvOS, watchOS and Safari, including a macOS Big Sur zero-day vulnerability under active attack at the time.