Apple has released updates for two disclosed security vulnerabilities with the potential to be exploited on millions of Apple devices.
According to the tech company, a kernel vulnerability — CVE-2022-32894 — and a WebKit vulnerability — CVE-2022-32893 — are present on various devices, including iPhones (6s or later), all iPad Pros, iPad Airs (2 or later), iPads (5 or later), iPad minis (4 or later), seventh generation iPod touches, and Mac computers running macOS Big Sur, Catalina or Monterey.
Cybersecurity vulnerabilities open devices up to threats
Apple has pushed updates patching the vulnerabilities out to users of iPhone, iPad and Mac devices. Anonymous security researchers uncovered the vulnerabilities, and the tech company stated that they are "aware of a report that [these issues] may have been actively exploited."
The kernel vulnerability (CVE-2022-32894) may allow applications to "execute arbitrary code with kernel privileges," while the WebKit vulnerability (CVE-2022-32893) may allow arbitrary code execution if malicious web content is processed via Safari, according to the company's disclosure statements.
The vulnerabilities may be related to one another, according to TechCrunch.
Mobile device security remains a critical enterprise security strategy
The vulnerabilities have the potential to expose enterprise networks via mobile devices, says Richard Melick, Director of Threat Reporting at Zimperium.
"Mobile is a critical part of the enterprise workforce, but remains a largely unaddressed attack surface ripe for exploitation and compromise," said Melick. "These latest exploits and vulnerabilities revealed by Apple are just a few of the mobile-specific attacks we have seen this year. Last year, the data showed a 466% increase in mobile-specific zero-day vulnerabilities, accounting for one in three of all reported zero-day attacks. So far this year, we have seen roughly the same volume of zero-day attacks against mobile, with seven of the 23 in the wild attacks being mobile specific. All it takes is one mobile device to fall victim to an exploit as part of a larger attack chain, leaving enterprise data integrity compromised."
Mobile device security is also a critical part of executive protection. With these high-profile cybersecurity vulnerabilities affecting Apple devices, enterprise security leaders should assess their business leaders' cyber risk. Rajiv Pimplaskar, CEO of Dispersive Holdings, Inc., highlighted the cybersecurity risks threatening executive devices. "According to BlackCloak research, 87% of executive devices have no security measures at all installed, and 76% are actively leaking data. The Apple security vulnerabilities taken in this context are a stark reminder of the dangers of an expanded attack surface with the proliferation of mobile endpoints," he said.
Affected organizations and users can install the updates released by Apple to protect their devices from exploits of the disclosed vulnerabilities. According to Corey Sinclair, Cyber Threat Intelligence Analyst at Horizon3ai, "We often find that malicious threat actors do not take advantage of zero-day vulnerabilities. Rather, successful cyber threat actors target companies and organizations that run outdated software and operating systems by using years-old vulnerabilities and weaknesses that vendors have already issued patches, and/or published fix-or mitigation actions."