Apple has released a security update to address a zero-day vulnerability that attackers exploit in attacks targeting Mac and Apple Watch devices.
To protect our customers, Apple will not disclose, discuss, or confirm security issues until they have been investigated and a patch or release is available.
A zero-day is a security vulnerability of which the software vendor is unaware and has not yet been patched.
In its published security advisory, Apple clarified that it is aware of reports that this vulnerability “may be actively exploited.”
This vulnerability is an out-of-bounds write issue (CVE-2022-22675) in AppleAVD (a kernel extension for audio and video decoding) that allows apps to execute arbitrary code with kernel privileges.
This vulnerability was reported by an anonymous researcher and fixed by Apple in macOS Big Sur 11.6., watchOS 8.6 and tvOS 15.5 with improved bounds checking.
Affected devices include Apple Watch Series 3 and later, Macs with macOS Big Sur, Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD.
Apple has disclosed reports of real-world exploits, but has not released any additional information about these attacks.
The reason for not releasing this information is likely to ensure that as many Apple Watches and Macs as possible receive the security update before an attacker discovers the zero-day and exploits it for other attacks.
Although this zero-day was probably only used in targeted attacks, it is still highly recommended to install today’s macOS and watchOS security updates as soon as possible to thwart any attack attempts.
5 Zero Days Patched in 2022
In January 2022, Apple enabled attackers to execute arbitrary code with kernel privileges (CVE-2022-22587), web browsing activity and real-time tracking of user identity (CVE-2022-22594), and two other zero-day patches.
A month later, Apple released a security update to fix a new zero-day vulnerability (CVE-2022-22620) that can be exploited to hack iPhones, iPads, and Macs, and in March, Intel Graphics Driver (CVE-2022-22674) and AppleAVD media decoder (CVE-2022-22675), the latter of which has been backported to older versions of macOS, watchOS 8.6, and tvOS 15.5.
These five zero days affect multiple models of iPhones (iPhone 6s and above), Macs with macOS Monterey, and iPads.
We have also patched a list of real-world zero-day exploits targeting iOS, iPadOS, and macOS devices throughout the last year.