Apple releases iOS and macOS fixes to patch a new zero-day under attack

Apple has released another round of security updates to address vulnerabilities in iOS and macOS, including a new zero-day flaw that is being actively exploited by attackers.

The zero-day flaw, tracked as CVE-2022-32917, allows a malicious app to run arbitrary code on an affected device with kernel privileges, Apple said in a security advisory on Monday, which means full access to the device and its data. Apple warned that it is aware that this flaw “may have been actively exploited," believed to be the eighth zero-day vulnerability fixed by Apple since the start of the year.

Apple says it fixed the bug in updates for iOS 15.7 and iPadOS 15.7, macOS Monterey 12.6 and macOS Big Sur 11.7.

Apple hasn’t revealed any further information about CVE-2022-32917 or how it is being exploited by cybercriminals. Apple did not respond to a request for comment.

Apple this week back-ported a patch for another exploited zero-day, tracked as CVE-2022-32894, to Macs running macOS Big Sur 11.7. This comes weeks after the company patched the same vulnerability — described by Apple as a remotely exploitable WebKit zero-day that could allow attackers to execute arbitrary code on unpatched devices — in older iPhones and iPads.

In addition to these fixes, Apple released a number of other security updates on Monday, including a Safari flaw that could lead to address bar spoofing, an issue in Maps that could enable an attacker to read sensitive location information, and a Contacts vulnerability that may enable apps to bypass privacy preferences.

The security fixes were released alongside iOS 16, which brings with it a number of security and privacy enhancements, including support for Apple Passkeys and Lockdown Mode.