Apple announces an ‘actively exploited’ vulnerability that allows hackers to fully control devices

On August 17, 2022, Apple announced a zero-day vulnerability that exploits a software weakness that affects both the kernel (CVE-2022-32894) and the WebKit on Apple devices (CVE-2022-32893). The kernel is a layer of the operating system common on all Apple devices, and the WebKit is part of the default Apple web browser, Safari. Apple announced they were “aware of a report that this issue may have been actively exploited” but did not provide additional details. According to reports, the vulnerability can allow a malicious actor to gain full administrator access to the device to execute code as if they were the user.

Apple has announced that the security update addresses the vulnerabilities in the iOS for the iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation), the Safari web browser, as well as their macOS Monterey.  https://support.apple.com/en-us/HT201222

If you have not done so already, we recommend that all Apple devices are updated immediately using the patches released on August 17^th and 18^th, 2022.  

Depending on your settings, your iOS device may automatically prompt you to update to the new operating system.  However, we recommend not waiting till that happens.  To manually install the update, go to Settings > General > Software Update. Select the iOS/iPadOS 15.6.1 update and install it.

To update your macOS, please remember that before updating your Mac’s operating system, it is always a good idea to backup your data. To do this, go to System Preferences and select Time Machine. Click Select Backup Disk to back up your device. Once that has been completed, click the Apple logo in the top left of your screen and select System Preferences and then select Software Update. For older macOS versions, such as OS Catalina and Big Sur, there is an update to Safari for this issue, and we recommend that it is installed.

If you are an Assura client, please do not hesitate to reach out to your Virtual ISO or Assura Concierge if you have questions about this vulnerability or how you can better defend against it. Otherwise, please contact us using the Contact form on our website.

References

Apple Security – https://support.apple.com/en-us/HT201220

CISA – https://www.cisa.gov/uscert/ncas/current-activity/2022/08/18/apple-releases-security-updates-multiple-products