On Wednesday, Apple released iOS and iPadOS 15.6.1 along with macOS Monterey 12.5.1. The only changes these upgrades bring are fixes for two serious vulnerabilities that could let attackers execute arbitrary code on users’ devices. The first exploit – tagged CVE-2022-32894 – could grant programs kernel-level privileges with which to execute arbitrary code. The second – labeled CVE-2022-32893 – is a WebKit flaw that could let malicious web pages run arbitrary code. WebKit is the platform underpinning Apple’s Mail app, Safari, and all iOS web browsers. Reports indicate bad actors have already started using both exploits. Apple didn’t release any other details about the vulnerabilities, crediting anonymous researchers with their discovery. However, the WebKit flaw’s page on WebKit Bugzilla credits Yusuke Suzuki with reporting the exploit on August 4.
iOS and iPadOS 15.6.1 are available for the iPhone 6s and later, all iPad Pro models, the iPad Air 2 and later, iPad 5th generation and newer, iPad mini 4 and later, and the 7th generation iPod touch. Users can update by heading to Settings > General > Software Update. Update macOS by navigating to System Preferences > Software Update. A new version of watchOS (8.7.1) also went out on Wednesday, though without a description, so it isn’t clear if it’s connected to the same issue. That update is only available for the Apple Watch Series 3. Although apple patched Monterey, it hasn’t patched its predecessors – Big Sur and Catalina – which are still popular. It isn’t known whether the older macOS versions are vulnerable or if Apple is prioritizing Monterey. The latter has been the case before. Earlier this week, a security researcher discovered that Big Sur and Catalina are still susceptible to a severe exploit that Apple patched in Monterey last year. It could break through every macOS security layer and expose every file on a Mac. Last November, Apple fixed a vulnerability in Catalina only after many users suffered a cyberattack using the exploit. The company had long since patched Big Sur against the same flaw.