Apple has issued a set of security updates for its iOS and iPadOS mobile operating systems that, among other patches, handle an actively exploited vulnerability, a zero day for which no prior fix existed.
The updates in iOS version 16.1 and iPadOS 16 patch a bug that allows applications to execute arbitrary code with high, kernel-level privileges.
Although Apple did not provide any further details as to the attacks, the company said it is aware that the CVE-2022-42827 vulnerability is "actively exploited".
Apple said the vulnerability was reported to it by an anonymous researcher and is caused by applications being able to write outside memory bounds.
Researcher Johannes Ullrich at the SANS Internet Storm Centre rated the bug as critical, along with the CVE-2022-42813 certificate validation vulnerability which could be abused for arbitrary code execution.
Another kernel bug caused by out of bounds memory writes, CVE-2022-42808, is also rated as critical, as it could allow remote attackers run kernel code, Ullrich wrote.
The third party Ruby scripting language shipped with Apple operating systems needs to be updated to version 2.6.10, to prevent remote attackers from crashing apps and execute code.
Apple's Accelerate Framework also contains a critical memory consumption issue which attackers could abuse with maliciously crafted imaged for remote code execution, ISC said.
The CVE-2022-26730 memory corruption vulnerability in the ColorSync component that could be abused with maliciously crafted images has also been addressed in today's set of patches.
Maliciously crafted disk images - DMGs - could be abused to run arbitrary code, thanks to a vulnerability in the Finder file management tool, ISC noted.
Apple supports Microsoft's Server Message Block (SMB) for network file access, and has patched a critical vulnerability in the protocol that could be used by remote attackers to execute kernel code.
Ullrich said today's set of patches is "massive".
"With the release of a new version of macOS, and updates for all operating systems Apple publishes, we got a total of 106 vulnerabilities," Ullrich said.
Apple lists the security patches here.
