The second zero-day exploit patched by Apple on Wednesday is a kernel-level code execution bug that can be abused once an attacker gains an initial foothold on an affected device. Tracked as CVE, one way an attacker could achieve that initial foothold is by exploiting the aforementioned WebKit flaw, according to researchers at Sophos.

Such privileges could afford an attacker the ability to carry out activities such as spying on apps, accessing nearly all data on the device, retrieving locations, using cameras, taking screenshots, activating the microphone, and more, he said.

Like the WebKit flaw, the code required to exploit this vulnerability would have to be embedded within a maliciously crafted web page and executed after the WebKit vulnerability had already been exploited. Reduce risk and deliver greater business success with cyber-resilience capabilities. Apple said it addressed both the issues with improved bounds checking, adding it’s aware the vulnerabilities “may have been actively exploited.

The company did not disclose any additional information regarding these attacks or the identities of the threat actors perpetrating them, although it’s likely that they were abused as part of highly-targeted intrusions. The latest update brings the total number of actively exploited zero-days patched by Apple to six since the start of the year -. August 22, By Pierluigi Paganini. Donot Team cyberespionage group updates its Windows malware framework.

Sponsored Content. More Story. We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits.

However, you may visit “Cookie Settings” to provide a controlled consent. Cookie Settings Accept All. Content from our partners How the retail sector can take firm steps to counter cyberattacks. How to combat the rise in cyberattacks. Why email is still the number one threat vector. Topics in this article: Apple , Cybersecurity.

The list of devices affected by both vulnerabilities are: Macs running macOS Monterey iPhone 6s and later iPad Pro all models , iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch 7th generation.

Lawrence’s area of expertise includes Windows, malware removal, and computer forensics. Previous Article Next Article. Cauthon – 4 days ago. You may also like:. Popular Stories. Newsletter Sign Up To receive periodic updates and news from BleepingComputer , please use the form below.

Apple security updates fix 2 zero-days used to hack iPhones, Macs

 
August 22, By Pierluigi Paganini.

New apple zero day

The CVE vulnerability is a critical memory corruption bug inside the IOMobileFrameBuffer, and essentially allows apps to execute commands on any vulnerable devices with kernel privileges. Apple has confirmed that the memory corruption issue has been fixed thanks to improved memory handling, however.

Affected devices include all iPad Pros, the 7th generation iPod Touch , iPhone 6S and all later models up to and including the new iPhone 13 range, iPad Air 2 and later models, iPad mini 4 and later as well as the 5th generation iPad and all iPads that succeeded it. Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. Tech Radar. North America. Audio player loading…. Apple has rolled out updates for its mobile, tablet and desktop operating systems, and they come with a fix for two zero-day vulnerabilities.

As Ars Technica notes, the bugs can give bad actors access to the internals of the operating systems if exploited. Apple said in its patch notes that it’s aware “of a report that [the issues] may have been actively exploited,” but it didn’t expound on whether it has detected instances of the bugs being used to gain entry to customers’ devices. The tech giant attributes the vulnerabilities’ discovery to “an anonymous researcher.

One of the vulnerabilities called CVE affects all three operating systems and gives hackers a way to execute malicious code with kernel privileges. Although this zero-day was likely only used in targeted attacks, it’s still strongly recommended to install the updates as soon as possible to block potential attack attempts.

In January, Apple patched two other zero-days exploited in the wild that could allow threat actors to achieve arbitrary code execution with kernel privileges CVE and track browsing activity and users’ identities in real-time CVE While Apple has patched only three zero-days since the start of , the company had to deal with an almost interminable stream of zero-days exploited in the wild to target iOS, iPadOS, and macOS devices.

The list includes multiple zero-day flaws used to install NSO’s Pegasus spyware on iPhones belonging to journalists, activists, and politicians.

Apple emergency update fixes zero-day used to hack Macs, Watches. Always have a full keypad with you with Apple’s Magic Keyboard deal. Hackers steal crypto from Bitcoin ATMs by exploiting zero-day bug.