Cybersecurity News

Apple Issues Urgent Cybersecurity Updates to Fix Zero-Day Vulnerabilities

Healthcare organizations should urgently apply recommended cybersecurity updates to defend against zero-day vulnerabilities in certain Apple products.

Apple Issues Urgent Cybersecurity Updates to Fix Zero-Day Vulnerabilities

Source: Getty Images

By Jill McKeon

- Apple released security updates to defend against two zero-day vulnerabilities found in macOS Monterey, iOS and iPadOS, and Safari, the Cybersecurity and Infrastructure Security Agency (CISA) reported.

CISA said that an attacker could exploit one of these vulnerabilities and take control of an affected device. If exploited, the attacker could gain remote code execution (RCE) and kernel-level privileges.

A zero-day is a flaw in hardware, firmware, or software that is unknown to the parties responsible for fixing it. Essentially, a zero-day vulnerability is a vulnerability that has been disclosed but not yet patched. Once it has been disclosed, it becomes an n-day or one-day vulnerability.

The devices that are impacted by both vulnerabilities include iPhone 6s and later, all iPad Pro models, iPad Air 2 and later, iPad 5th generation and on, Macs that run macOS Monterey, iPad mini 4 and later, and the 7th generation of iPod touch, the HHS Health Sector Cybersecurity Coordination Center (HC3) explained in its alert to the healthcare sector.

“iOS devices have gained popularity recently within the healthcare sector due to their ability to be utilized as multipurpose platforms,” HC3 stated.

“The iOS devices can be used by care teams to provide secure internal communication, medication administration, ultrasound imaging, mobile documentation of sensitive patient information, and multiple other tasks. Cyberthreat actors can leverage the zero-day exploitations to compromise these iOS devices in the healthcare sector.”

The first exploit, CVE-2022-32893, takes place in WebKit and primarily resides in Safari. The vulnerability could be exploited by remotely visiting a malicious website, Apple said. The second exploit, CVE-2022-32894, is in the operating system’s kernel and could be used to execute arbitrary code using the highest privileges.

“A malware on the kernel would be able to essentially give an attacker full control of the device,” HC3 noted.

Users simply need to update their devices to the latest versions in order to defend against these vulnerabilities. For iPhones or iPads, users should navigate to “settings,” then “general,” then “software update.”

Mac users should navigate to “Apple menu,” then to “About this Mac,” then “software update.”

“With the increasing use of iOS devices in the healthcare sector, it is strongly encouraged to update your devices immediately,” HC3 urged.