Apple patches actively exploited iPhone, iPad zero-day and 18 other security flaws

Apple has released an update providing a number of patches for iOS and iPadOS, including one zero-day that “may have been actively exploited".

Tracked as CVE-2022-42827, the zero-day vulnerability was the result of an out-of-bounds write error in the kernel, which could be used by threat actors to execute malicious code on the kernel level.

This could allow for custom, potentially malicious programs to be run on the victim’s device, as well as putting all data on it at serious risk of exfiltration or destruction.

An out-of-bounds write error occurs when a program writes beyond the end of an intended buffer or specified array, and typically results in a crash or corruption of data. If exploited, they can be used to modify system data and execute code on impacted devices remotely.

In its post for the iOS 16.1 and iPadOS 16 security updates, Apple noted that through the flaw an “application may be able to execute arbitrary code with kernel privileges".

Beyond this, the firm offered little detail of the precise nature of the zero-day, in line with its policies on security issues and in accordance with its longstanding approach of providing little detail on security incidents.

“For the protection of our customers, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are generally available,” stated a notice in the update post.

Affected devices include all of its smartphones from iPhone 8 and above, all models of the iPad Pro, iPad Air 3rd generation and above, and iPad and iPad Mini - both 5th generation and above.

Beyond the zero-day, the latest security update also provides patches for 18 other vulnerabilities. Of these, two more were in the kernel, though these are not thought to be actively exploited, while three were in WebKit, Apple’s browser engine which powers Safari.

Other flaws were fixed in the point-to-point protocol (PPP), a TCP/IP protocol used to send data between devices, as well as in core Bluetooth and the GPU drivers.

The patch marks the ninth overall update addressing a zero-day flaw by Apple this year. In September, the tech giant patched a similar kernel vulnerability, which allowed for arbitrary code to be executed with kernel privileges. This vulnerability also affected macOS Monterey, and had been potentially exploited in the wild by the time it was patched.

In August, Apple patched a 'superpower' zero-day affecting WebKit, in which threat actors could use remote code execution (RCE) to alter web pages, which would then run malicious code on Apple devices that visited them.

More recently, earlier this month Apple was forced to release a fix for a denial of service vulnerability, tracked as CVE-2022-22658, affecting iPhones 8 and newer.

Apple said that processing a maliciously crafted message could lead to denial of service and was fixed in its iOS 16.0.3 by improving input validation.