Harvest of zero-day flaws at Google and Apple

Hackers are currently exploiting zero-day flaws in Chrome and Safari browsers, as well as in the kernel of iOS, iPadOS and macOS. Update your systems!

Google and Apple have just, almost simultaneously, corrected a series of zero-day flaws in their software exploited by hackers. Users are therefore urged to update the affected products.

Thus, Google has just released patches for eleven security flaws in the Chrome browser, including one of a critical level and, unfortunately, exploited in the wild. This bug (CVE-2022-2856) is lodged in the “Intent” module which allows actions to be programmed according to a certain context. Example: launch an app from a web page. The concern is that the data handled by this module was not sufficiently verified upon receipt and could therefore contain malicious code. Which has not escaped some hackers.

Google does not provide any other details on this zero-day flaw, but security researchers at Sophos have their idea. “The danger seems rather obvious if the known exploit is to silently feed a local application with the kind of risky data that would normally be blocked for security reasons”writes the editor in a blog post.

This is the fifth time since the beginning of the year that Google has corrected a zero-day flaw in its browser. The firm will not have a premium to pay for this time, because this flaw was found by two engineers from the Google Threat Analysis Group team. To check if your browser is up to date, go to “Help → About Google Chrome”. You should see a version number greater than or equal to 104.0.5112.101.

Remote arbitrary code execution in WebKit

For its part, Apple has urgently released updates for iOS, macOS and iPadOS, due to two zero-day flaws actively exploited by hackers. The first (CVE-2022-32894) results from a memory write bug and would allow executing arbitrary code with kernel privileges. The second (CVE-2022-32893) is also a memory write bug, but in WebKit. According to Apple, this flaw could create malicious web content capable of executing arbitrary code at the browser level. Which is therefore particularly worrying.

The devices affected by these two flaws are the iPhone 6s or higher, the iPadPro, the iPad Air 2 and higher, the iPad 5e generation and higher, iPad mini 4 and higher and iPod Touch (7e generation). To be sure, make sure you have iOS 15.6.1, iPadOS 15.6.1 and macOS Monterey 12.5.1.

Source :

The Register

Leave a Comment