Mac And iPhone Users Should Download These New Emergency Apple Security Patches ASAP

Anyone with an iPhone in their pocket or a Mac on their desk should be hitting that update button today. Apple has announced an emergency patch for iPhones, iPads, and macOS computers, an increasingly common event. The update addresses a pair of zero-day vulnerabilities in Apple's software, meaning they are already being used in the wild to exploit devices.

Apple macOS Monterey has been updated to v12.5.1, and iOS is now on v15.6.1. The updates address the same pair of vulnerabilities on both mobile and desktop platforms. If you're on an older version of macOS, you are not vulnerable to this particular issue. However, all iPhone models from the 6s onward are affected, as are all models of the iPad Pro, as well as the iPad Air 2, the 5th Gen iPad, the iPad Mini 4, and all later models in these lines. Even Apple's recently discontinued 7th gen iPod Touch gets in on the fun. You can see the update notice for iPhone below. It clocks in at 282 MB. 

The first flaw is tracked as CVE-2022-32894. It's an out-of-bounds write vulnerability in the operating system kernel, a low-level framework that has access to all parts of the system. A vulnerability here allows malware to execute code with the same high privilege level to completely take over the device.


The second vulnerability is CVE-2022-32893. This too is an out-of-bounds write vulnerability, but it's a flaw in the WebKit browser engine at the heart of Apple's Safari browser. Coincidentally, that's the only engine Apple allows on the iPhone. So, even third-party browsers like Chrome and Firefox offer no reprieve. This bug could also allow arbitrary code execution, and while the WebKit engine doesn't have the pervasive system access of the kernel, it is a web component. That means simply visiting a malicious website on an unpatched device could be enough to get you in trouble.

Apple says these flaws are being actively exploited and were reported by anonymous security researchers. These flaws are the sixth and seventh zero-days patched by Apple so far this year. We might hear about more Android vulnerabilities, but that's because Android is an open-source platform. Apple still sees its fair share of exploitable bugs, even in its silicon. One advantage Apple has is longer update support—avoiding zero-day exploits in the first place is ideal, but at least Apple can roll out updates promptly, even to older devices.