If you’re an Apple user and you have an iPhone, a Mac, or both, you’ll want to grab the company’s most recent security update.

The latest release pushes out fixes for a pair of zero-day vulnerabilities that researchers have seen actively exploited in the wild.

The flaws in question are being tracked as CVE-2022-22674 and CVE-2022-22675 respectively. The former is an out-of-bounds write issue in an Intel Graphics driver and the latter is an out-of-bounds-read issue in the AppleAVD media decoder that would allow an attacker to execute arbitrary code with kernel privileges.

This is because, if they can access the kernel, a malicious actor has “pretty much access-all-areas privileges” on the target device, allowing them to take full control of it in the worst-case scenario, he said.

Users can check their update status and download the patches by going to Apple Menu – About this Mac – Software Update on a Mac, or Settings – General – Software Update on an iPhone or iPad, keeping in mind that Apple devices can take such updates automatically and that many will have already received them.

Impacted devices include the iPhone 6S and newer, the iPad Pro (all models), the iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and the iPod Touch (7th generation).  Also note that users with Macs running macOS Monterey are at risk.

To make sure you’re protected download and install the iOS 15.4.1, the iPadOS 15.4.1, or the macOS Montery 12.3.1 update as appropriate for your device.

It’s still early in 2022 and so far, Apple has pushed out three zero-day patches this year resolving a total of five different zero-day issues.

In January 2022, the company’s first zero-day patch was pushed out resolving CVE-2022-22587 and CVE-2022-22594. Those allowed attackers to execute arbitrary code with kernel privileges and track web browsing activity in real time.

Then in February, Apple released another patch to address a new zero-day exploit that allowed attackers to hack iPhones, iPads, and Macs, leading to OS crashes and arbitrary code execution.

“Many people often feel overwhelmed by the quantity of updates sent by Apple and Android, but these are for the benefit of the device and the owner. Threat actors constantly tailor their attacks to any given vulnerability. Luckily, these updates are never too far behind, but must be installed immediately to take effect.”

It appears 2022 is shaping up a lot like 2021.  Last year, Apple faced a seemingly endless stream of zero-day exploits and spent much of the year busily pushing fixes out the door.  Here’s hoping this year will be at least somewhat calmer on that front!

Used with permission from Article Aggregator