Apple has released an out-of-band patch to fix two zero-day vulnerabilities affecting macOS Monterey and iOS and iPadOS, which the company has confirmed is aware of the possibility that they are being actively exploited by attackers in malicious campaigns.
These are CVE-2022-22675 and CVE-2022-22674. The former only affects iOS and iPadOS, but both are present in macOS. As published by Apple, the updates are 15.4.1 for iOS and iPadOS, and 12.3.1 for macOS Monterey.
Regarding the impact of the vulnerabilities, CVE-2022-22674 affects only macOS Monterey and lies in the Intel Graphic Driver. The flaw consists of an "out-of-bounds" reading problem, that is, outside the limits, which, if exploited, would allow an application to read kernel memory.
In the case of CVE-2022-22675, in addition to macOS Monterey, it also affects iPhone 6s and earlier, all iPad Pro models, iPad Air 2 and earlier, iPad 5th generation and earlier, iPad mini 4 and earlier, and iPad touch 7th generation.
This vulnerability lies in AppleAVD, which is Apple's framework for decoding audio and video, and allows an attacker to execute arbitrary code with kernel privileges, which means they can execute any command on the vulnerable computer.
While Apple disclosed that it is aware of the possibility that both vulnerabilities are being exploited by threat actors in malicious campaigns, it did not disclose details.
It is worth remembering that these zero-days are not the first that Apple patches so far in 2022. In February the company released an update to correct CVE-2022-22620, a zero day that affected iOS, iPadOS and macOS that allowed remote code execution; and before this failure, it had patched two other vulnerabilities that allowed the execution of arbitrary code, such as CVE-2022-22594 and CVE-2022-22587.
We encourage users to update their devices as soon as possible to keep their computers secure with the latest security patches.