Apple has released information about two zero-day vulnerabilities that attackers are using to target victims via Apple devices.
What is the issue? –
A remote code execution vulnerability (RCE) tracked as CVE-2022-32893 in Apple’s HTML rendering software (WebKit), by means of which a booby-trapped web page can trick iPhones, iPads, and Macs into running unauthorized and untrusted software code. Simply put, a cybercriminal could implant malware on your device even if all you did was view an otherwise innocent web page.
A kernel code execution vulnerability tracked as CVE-2022-32894, by which an attacker who has already gained a basic foothold on your Apple device by exploiting CVE-2022-32893 could escalate their privileges from controlling just a single app on your device to taking over the operating system kernel itself, thus acquiring admin access normally reserved for Apple itself.
What is the resolution? – Update any of the following devices to the latest version of Apple software –
Macs running macOS Monterey running versions prior to 12.5.1
iPhone 6s and later running iOS versions prior to 15.6.1
iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) running iOS versions prior to 15.6.1
What do I need to do? – Don’t panic. Alert your organization about the issue and update any of your affected devices as soon as possible.
If your business needs help doing this, get in touch.
You can find more information about these vulnerabilities from these Apple Support articles –