Apple fixes recently disclosed zero-day on older iPhones, iPads

Apple has released new security updates to backport patches released earlier this week to older iPhones and iPads, addressing an actively exploited zero-day bug.

The vulnerability (CVE-2022-42827) is the one Apple patched for iPhone and iPad devices this Monday, October 24. Potential attackers can use it to execute arbitrary code with kernel privileges if successfully exploited in attacks.

The out-of-bounds write issue was reported to Apple by an anonymous researcher, and it's caused by software being able to write data outside the boundaries of the memory buffer.

This can result in data corruption, application crashes, and code execution due to undefined or unexpected results (also known as memory corruption) from subsequent data written to the buffer.

Apple addressed the zero-day vulnerability in iOS 15.7.1 and iPadOS 15.7.1 today with improved bounds checking.

The list of impacted devices includes iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

Patch your older devices to block attacks

Apple disclosed the security flaw "may have been actively exploited" in the wild but is yet to release info regarding these attacks.

Even though this zero-day was most likely only used in targeted attacks, it's strongly suggested to patch even older devices as soon as possible to block potential attack attempts.

CISA also added this zero-day to its catalog of known exploited vulnerabilities on October 25, which requires Federal Civilian Executive Branch (FCEB) agencies to patch it to protect "against active threats."

This is the ninth zero-day Apple has fixed since the start of this year:

• In September, Apple addressed a flaw in the iOS Kernel (CVE-2022-32917).
• In August, it fixed two more zero-days in the iOS Kernel (CVE-2022-32894) and WebKit (CVE-2022-32893)
• In March, Apple patched two zero-day in the Intel Graphics Driver (CVE-2022-22674) and AppleAVD (CVE-2022-22675).
• In February, Apple released security updates to address another WebKit zero-day bug exploited to target iPhones, iPads, and Macs.
• In January, Apple patched another pair of zero-days allowing code execution with kernel privileges (CVE-2022-22587) and web browsing activity tracking (CVE-2022-22594).