Apple has released a fix for a zero-day vulnerability that bad actors could exploit to take full control of an iPhone, an iPad or a computer running macOS Monterey. The tech giant’s security advisory is pretty light on details, but it has identified CVE-2022-3289 as a vulnerability discovered by an anonymous researcher. It says the flaw could be exploited “to execute arbitrary code with kernel privileges,” which means attackers could act as the user and gain admin control of the target device. The company says it’s aware that the vulnerability may have already been exploited.
In addition, Apple has also rolled out a fix for a vulnerability affecting WebKit, the engine used by Safari, Mail and many other iOS and macOS apps. According to the company, it allows attackers to arbitrarily execute code and could hence be used to, among other things, download more malware. Like the first vulnerability, Apple credits an anonymous researcher for the discovery of this flaw — it also knows that it may have already been exploited and used to compromise iOS and Mac devices.
Both flaws are present in macOS Monterey 12.5.1, and Apple has rolled out a patch for the operating system. They both affect the same set of iPhones and iPads, as well, particularly: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later and iPod touch (7th generation). Since both flaws are likely being actively exploited right now, it’s probably wise for owners of all the aforementioned devices to install the patches by downloading the latest software update.