Apple has addressed patches for two vulnerabilities in its products that affects iOS, macOS and ipadOS.
The first vulnerability is a Kenral code execution bug tracked as CVE-2022-22675. This update is for iOS and iPadOS, both of which go to version 15.4.1.
The second vulnerability is a Kernel code execution bug tracked as CVE-2022-22675 and kernel data leakage bug CVE-2022-22674. This update is for macOS Monterey, which goes to version 12.3.1.
No earlier versions of iOS, iPadOS or macOS seem to be affected by these bugs. But with caution might be the case Apple didn’t support the older versions. It’s still not clear until Apple releases it.
Apple’s core Security Updates page at HT201222 reports that there are updates denoted tvOS 15.4.1 and watchOS 8.5.1, but Apple merely remarks that these updates have “no published CVE entries”.
Apple is aware of a report that this issue may have been actively exploited.
Kernel code execution flaws where an unauthorised app or chunk of injected code doesn’t just take over a single application, but potentially gets unsandboxed access to the entire running system are the most broadly dangerous sort of bug on iPhones and iPads.
Apple’s mobile devices are locked down much more tightly by default than computers running macOS, and while you can increase security on macOS, you aren’t supposed to be able to reduce security on iOS and iPadOS to bypass those default restrictions.
Malware with kernel control has access-all-areas privileges, meaning that it could be used for a total jailbreak. Kernel code execution bugs could be used for general-purpose spyware that could peek into, and perhaps even manipulate, all aspects of your digital life, including location data, IMs and text messages, emails, browsing history, contacts, phone records, photos.
Patch all the affected versions of the Apple devices family to stay safe and secure.