February 2nd – CISA has issued a warning that a patched kernel security flaw, affecting Apple iPhones, Macs, TVs and watches, is under active exploit by cyber criminals.
The bug was first disclosed on January 9th of 2022, after initial discovery by Apple’s security researchers. Identified as CVE-2022-48618, it’s unclear as to whether or not the vulnerability was silently addressed two years ago, when the initial advisory was released.
This month, Apple disclosed that an attacker with arbitrary read and write capabilities may be able to bypass Pointer Authentication, a security feature intended to block attacks that attempt to exploit memory corruption bugs.
Patched kernel security flaw
“Apple is aware of a report that this issue may have been exploited against versions of iOS released before iOS 15.7.1,” noted the company.
Apple addressed the flaw on devices running iOS 16.2 or later, iPadOS 16.2 or later, macOS Ventura or newer, tvOS 16.2 or higher and watchOS 9.2 or later.
The flaw still affects an extensive roster of devices. These include the iPhone 8 and later, the iPad Pro (all models, the iPad Air 3rd generation and later, the iPad 5th generation and later, and the iPad mini 5th generation and later, along with Macs funning macOS Ventura, Apple TV 4K, and Apple Watch Series 4 and later.
Federal agency patching requirements
CISA has issued an announcement for federal agencies, saying that U.S. federal agencies must patch the bug by February 21st (required by a binding operational directive).
Further Apple bug information
Earlier this year, an Apple zero-day bug was identified. The company has just ruled out security updates designed to patch it. If exploited in attacks, hackers could gain code execution capabilities on vulnerable devices (iPhones, Macs and Apple TVs).
On the same day, Apple also released patches for earlier iPhone and iPad models in an effort to address two additional WebKit zero-day vulnerabilities.
For more on this story, click here.