Apple has released new security updates to backport patches released earlier this week to older iPhones and iPads, addressing an actively exploited zero-day bug.
The vulnerability (CVE-2022-42827) is the one Apple patched for iPhone and iPad devices this Monday, October 24. Potential attackers can use it to execute arbitrary code with kernel privileges if successfully exploited in attacks.
The out-of-bounds write issue was reported to Apple by an anonymous researcher, and it’s caused by software being able to write data outside the boundaries of the memory buffer.
This can result in data corruption, application crashes, and code execution due to undefined or unexpected results (also known as memory corruption) from subsequent data written to the buffer.
Apple addressed the zero-day vulnerability in iOS 15.7.1 and iPadOS 15.7.1 today with improved bounds checking.
The list of impacted devices includes iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
Patch your older devices to block attacks
Apple disclosed the security flaw “may have been actively exploited” in the wild but is yet to release info regarding these attacks.
Even though this zero-day was most likely only used in targeted attacks, it’s strongly suggested to patch even older devices as soon as possible to block potential attack attempts.
CISA also added this zero-day to its catalog of known exploited vulnerabilities on October 25, which requires Federal Civilian Executive Branch (FCEB) agencies to patch it to protect “against active threats.”
This is the ninth zero-day Apple has fixed since the start of this year: