Apple patches 'superpower' zero-days affecting iPhones, iPads, and Macs

Apple has fixed two zero-day vulnerabilities affecting iOS, iPadOS, and macOS Monterrey that may have been actively exploited.

The first exploit is a remote code execution (RCE) flaw affecting Apple’s proprietary browser engine WebKit, tracked as CVE-20220-32893.

An attacker could maliciously alter a web page and if visited by a WebKit-powered browser, then unauthorised code could run on unpatched devices.

WebKit is Apple’s browser engine and is naturally used to power the native Safari browser on currently supported iPhones and iPads. It’s also the engine that Apple compels app developers to use when building for its mobile devices.

This means even Google Chrome has to forfeit its Blink and V8 engines on iOS and iPadOS, and other browsers also have to use WebKit to pass Apple’s App Store checks.

Other apps that may not be browsers primarily, but have browsing features within them, also use WebKit to display web content which means the vulnerability may have a wide-reaching attack surface.

Devices affected by CVE-20220-32893 include iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, iPod touch (7th generation), and macOS Monterrey.

This vulnerability is the third critical WebKit bug Apple has been made to fix this year after the first two patches were released within weeks of each other at the start of the year.

The second zero-day exploit patched by Apple on Wednesday is a kernel-level code execution bug that can be abused once an attacker gains an initial foothold on an affected device.

Tracked as CVE-2022-32894, one way an attacker could achieve that initial foothold is by exploiting the aforementioned WebKit flaw, according to researchers at Sophos.

This means an attacker “could jump from controlling just a single app on your device to taking over the operating system kernel itself, thus acquiring the sort of ‘administrative superpowers’ normally reserved for Apple itself,” said Paul Ducklin, principal research scientist at Sophos.

Such privileges could afford an attacker the ability to carry out activities such as spying on apps, accessing nearly all data on the device, retrieving locations, using cameras, taking screenshots, activating the microphone, and more, he said.

Like the WebKit flaw, the code required to exploit this vulnerability would have to be embedded within a maliciously crafted web page and executed after the WebKit vulnerability had already been exploited.

This zero-day also affects all the aforementioned iPhone and iPad devices, in addition to Macs running macOS Monterrey.

Both issues were caused by an out-of-bounds write issue and were addressed by improving the bounds checking of the vulnerable components.

The two vulnerabilities patched by Apple on Wednesday represent the sixth and seventh zero-day exploits that Apple has been forced to fix this year.

The company also patched a swathe of zero-day vulnerabilities in 2021 including the ForcedEntry exploit used by the notorious Pegasus spyware developed by NSO Group.