(CVE-2022-32894 and CVE-2022-32893)
Event Summary
Apple is urging macOS, iPhone and iPad users to install the released update as soon as possible. The update includes fixes for two zero-days vulnerabilities under active attack. The patches are for vulnerabilities that allow attackers to execute arbitrary code and ultimately take over devices. Apple has released security updates for iOS, iPadOS, and macOS Monterey to fix these vulnerabilities.
Detail
Product Affected | Vulnerable Version | CVE-CVSS Associated | Risk / Details for vulnerability | Recommendations |
iOS & iPadOS | <15.6.1* iPhone 6s and later for iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
| CVE-2022-32893 | High – Arbitrary code execution | Update systems with latest security patches |
MacOS | <12.5.11* MacOS Monterey | CVE-2022-32894 | High – Arbitrary code execution
| Update systems with latest security patches |
*Versions prior to the latest version
SOD Actions
The Security On-Demand Threat Recon Unit will continue to monitor these events and provide relevant updates. Currently, we recommend applying vendor patches immediately. Users are also advised to enable automatic software updates by going to Settings > General > Software Updates > Enable Automatic Updates.
Our Threat Recon Unit will also keep track of any exploitation tool or PoC (Proof of Concept) that could leverage the usage of those vulnerabilities to exploit systems actively. Information about new IoCs and IoAs will continue to be included proactively as part of the ThreatWatch service’s monitoring mechanism on every service tier.
Please contact your Security On-Demand Customer Success Manager if you have any questions about this alert.
Additional Resources
- https://support.apple.com/en-sg/HT201222
- https://www.csa.gov.sg/en/singcert/Alerts/al-2022-040
- https://threatpost.com/iphone-users-urged-to-update-to-patch-2-zero-days-under-attack/180448/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32894
- https://www.helpnetsecurity.com/2022/08/18/cve-2022-32894-cve-2022-32893-cve-2022-2856/
- https://www.bleepingcomputer.com/news/security/apple-security-updates-fix-2-zero-days-used-to-hack-iphones-macs/
- https://www.macrumors.com/2022/08/17/apple-releases-macos-monterey-12-5-1/
- https://www.macrumors.com/2022/08/17/apple-releases-ios-15-6-1/