Apple Patches Two Critical Zero-Day Vulnerabilities
Apple has released emergency software updates for iOS and macOS to address two actively exploited zero-day vulnerabilities that could allow attackers to take full control of affected devices. The company is urging all iPhone, iPad, and macOS users to install the updates without delay.
The flaws, patched in iOS 15.6.1 and macOS Monterey 12.5.1, affect nearly all modern Apple devices capable of running either OS. The issues are severe enough that Apple confirmed both are being exploited in the wild, though it did not provide specific details.
Kernel Vulnerability Allows Full Device Takeover
The first flaw, tracked as CVE-2022-32894, is an out-of-bounds write issue in the kernel. According to Apple, the vulnerability could allow a malicious application to execute arbitrary code with kernel-level privileges — effectively giving attackers total control over the system.
“An out-of-bounds write issue was addressed with improved bounds checking,” Apple noted in its security advisory.
The company also acknowledged that the flaw “may have been actively exploited.”
WebKit Bug Opens the Door to Remote Code Execution
The second vulnerability, identified as CVE-2022-32893, resides in WebKit, the engine behind Safari and all browsers on iOS. It also involves an out-of-bounds write condition, and allows attackers to run arbitrary code by tricking users into visiting malicious websites.
Given that WebKit is used across all iOS browsers, the exposure is widespread, and Apple has confirmed this bug is also under active attack.
A Pegasus-Like Threat Scenario
Although limited details have been released, security researchers warn that the vulnerabilities could lead to sophisticated spyware deployments similar to the infamous Pegasus campaign linked to the Israeli NSO Group.
“For most folks: update software by end of day. If threat model is elevated (journalist, activist, targeted by nation states, etc): update now,” warned Rachel Tobac, CEO of SocialProof Security, on X.
Security Experts Warn of Growing Zero-Day Trend
The Apple disclosures coincided with Google patching its own fifth zero-day vulnerability of the year in Chrome — another arbitrary code execution flaw under active attack. These back-to-back reports highlight the increasing frequency with which high-profile platforms are being targeted by sophisticated attackers.
“Despite the best efforts from top-tier tech companies, it remains an uphill battle,” noted Andrew Whaley, senior technical director at Norwegian app security firm Promon.
Users and Developers Both Need to Step Up
Whaley stressed that while vendors bear responsibility, users must also remain alert to risks and apply updates promptly. Mobile devices, he said, are often perceived as inherently secure, but they’re just as vulnerable as desktop systems.
“While we all rely on our mobile devices, they are not invulnerable. As users, we need to maintain our guard just like we do on desktop operating systems.”
He also called on app developers to implement additional security at the application level rather than relying solely on the operating system, particularly in critical sectors like banking.
“Our experience shows that this is not happening enough, potentially leaving banking and other customers vulnerable.”
