Black Arrow Cyber Advisory – Apple releases patches for actively exploited zero-days across Mac, iPhone and iPad

Executive Summary

Apple has released security updates yesterday, 31/03/2022, in response to two actively exploited zero-day vulnerabilities affecting iPhones, iPads and Mac Computers. One vulnerability allows attackers to execute malicious code with privileged access, while the other allows attackers to read privileged memory on the device. Apple has only released limited information on the vulnerabilities at this time.

What’s the risk to me or my business?

These bugs have been confirmed to be actively exploited, and it affects all users of iPhones, iPads and Mac Computers. The risk will primarily come from a failure to patch the critical vulnerability.

What can I do?

Patches have been released for both bugs by Apple within MacOS 12.3.1, iPad OS 15.4.1 and iOS 15.4.1. It is strongly advised that these updates are applied as soon as possible.

Technical Summary

There are two separate bugs tracked as CVE-2022-22675 and CVE-2022-22674.

CVE-2022-22675 affects MacOS versions prior to 12.3.1, iPadOS prior to 15.4.1 and iOS versions prior to 15.4.1. This bug relates to AppleAVD, which is used to decode certain media files. This vulnerability allows an application to execute arbitrary code with kernel privileges through an out of bounds write issue. Apple has not provided any further details on this specific vulnerability.

CVE-2022-22674 affects MacOS versions prior to 12.3.1. This bug specifically relates to the Intel Graphics Driver so is unlikely to affect M1 devices, but this has not been confirmed by Apple. This bug allows an application to read kernel memory through an out-of-bounds read issue. The patch addresses this issue with improved input validation. Apple has not provided any further details on this specific vulnerability.

Need help understanding your gaps, or just want some advice? Get in touch with us.