Update Your iPhone Now: Apple Releases Patches for iOS, iPadOS, Mac Zero-Days

pcmag.com:

Apple has released iOS and iPadOS 15.4.1 as well as macOS 12.3.1 to patch two vulnerabilities that appear to have been actively exploited by attacker.

The company says "an out-of-bounds write issue was addressed with improved bounds checking." Without that patch, "an application may be able to execute arbitrary code with kernel privileges," and Apple is "aware of a report that this issue may have been actively exploited."

Apple says the vulnerability, which it has identified as CVE-2022-22675, was revealed by an anonymous security researcher. It's said to affect every iPhone released since 2015 and the seventh-generation iPod touch as well as recent iPad, iPad mini, iPad Pro, and iPad Air models.

The flaw is found in a part of iOS and iPadOS called AppleAVD. The company doesn't appear to offer any documentation for AppleAVD, but according to Malware News, it's a "decoder that handles certain media files" that has suffered from similar vulnerabilities in the past.

Apple also released macOS 12.3.1 to address CVE-2022-22675 and another vulnerability identified as CVE-2022-22674. That flaw was also reported by an anonymous researcher, Apple says, and by exploiting it "an application may be able to read kernel memory."

"An out-of-bounds read issue may lead to the disclosure of kernel memory and was addressed with improved input validation," the company says. "Apple is aware of a report that this issue may have been actively exploited."

Apple says that CVE-2022-22674 is present in an Intel graphics driver. Presumably that means Macs featuring its custom silicon—which at this point includes pretty much everything but the Mac Pro—aren't susceptible to this flaw. But the company didn't say what models are affected.

Sign up for Se