It's that time again—the mad scramble to update your Apple devices to patch two zero-day exploits under active attack. Zero-day exploits are now exposed in Apple's operating systems multiple times a year—we're at seven for 2022—and although Apple devices typically remain more secure than Windows, iOS and macOS aren't the absolute bastions of impenetrability they once were.
Apple Patches Zero-Day Exploit Affecting Kernel and WebKit
On 17 August 2022, Apple released two security alerts: one for iOS and iPadOS and one for macOS. Both alerts concern Apple Webkit, the open-source browser engine powering Safari and heaps of other apps, and the kernel, which is effectively the core of the operating system and serves as a bridge between your hardware and software. Furthermore, although Apple issued two security warnings, the vulnerabilities are the same across each Apple operating system.
The first vulnerability, tracked as CVE-2022-32894 (the CVE information isn't fully published at the time of writing, but it will update), could allow an attacker to execute malicious code with kernel privileges. This means the malicious code would run with the highest level of access on a system, meaning it can perform any command and access any and all data.
The second vulnerability, tracked as CVE-2022-32893 (again, the CVE information will update later), affects the Apple WebKit and could allow an attacker to execute malicious code within the web browser and other apps that use WebKit.
While Apple did detect some exploitation of these vulnerabilities, they didn't reveal how many devices were breached. However, it did provide a list of devices affected by the vulnerabilities:
- iPhone 6S and later
- iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
- Macs running macOS Monterey
As you might expect, we strongly suggest you patch your Apple devices as soon as possible.
What Is a Zero-Day Exploit?
A zero-day exploit is a previously unreleased security vulnerability an attacker uses to breach a site, service, or otherwise. As the security and tech companies are unaware of its existence, it remains unpatched and vulnerable.
In this specific example, a security researcher reached out to Apple after discovering the exploits and advised them to patch immediately, otherwise an attacker could exploit them and run malicious code on a target device.
Zero-day vulnerabilities are difficult to protect against due to their very nature. Security researchers are often the first people to figure out a zero-day vulnerability and typically disclose findings to the company involved to make sure it is patched before the vulnerability is exposed. However, that isn't always the case.
How to Patch macOS, iOS, and iPadOS
If you own any of the devices listed in the above section, you should update as soon as possible. Apple has already released the security update fixing the kernel and WebKit vulnerabilities, and they don't take long to install.
On iOS and iPadOS:
- Head to Settings > General > Software Update
- Tap Download and Install
- Head to the Apple menu
- Click Software Update
- Click Update Now
Go Forth and Patch Your Apple Devices
It's always best to keep your devices up to date, whether using Apple, Windows, Linux, or otherwise. Although zero-day vulnerabilities are difficult to protect against, they're often used in targeted attacks on specific devices. Now, that doesn't mean you should get complacent and think your device will be the special one, but patching as soon as a security update becomes available is always the best option.