Apple released new updates for both their mobile devices and their desktop offerings. iOS and iPadOS received version 15.4.1 while macOS Monterey got version 12.3.1. In addition, tvOS and watchOS also got updates. All of the updates are aimed mainly at one zero-day.
What Are the Apple OS Zero-Day Vulnerabilities?
Apple disclosed two vulnerabilities. While both of them are out-of-bounds issues, one is related to writing and the other to reading. CVE-2022-22675, is the most widespread across Apple operating systems. CVE-2022-22674, is the lesser of the two zero-day vulnerabilities and only impacts MacOS, it is also less severe as attackers cannot abuse it to perform actions.
An out-of-bounds write vulnerability was discovered in the AppleAVD video decoding component of the Apple operating system. When exploited successfully, an application may be able to execute arbitrary code with kernel privileges. In Apple's security advisory, the company mentions "Apple is aware of a report that this issue may have been actively exploited".
The second vulnerability is specific to macOS Monterey. An out-of-bounds read issue in the Intel Graphics Driver can lead to the disclosure of kernel memory. By abusing the vulnerability, attackers can therefore get an application to read kernel memory.
Auditing Your Devices
To help identify potentially vulnerable devices, we've created a special report that lists all MacOS, iOS, and iPadOS devices along with their version and whether that version has a fix included for the above-mentioned vulnerabilities. In short, your Apple devices must have version 15.4.1 or higher for iPhones and iPads. For non-mobile devices, MacOS 12.3.1 or higher is required to be safe.