Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Apple Patches Remote Code Execution Flaws in iOS, macOS

Apple on Tuesday released out-of-band patches for iOS and macOS, to address two arbitrary code execution vulnerabilities in the libxml2 library.

Written in the C programming language and originally developed for the Gnome project, libxml2 is a software library for parsing XML documents.

Apple on Tuesday released out-of-band patches for iOS and macOS, to address two arbitrary code execution vulnerabilities in the libxml2 library.

Written in the C programming language and originally developed for the Gnome project, libxml2 is a software library for parsing XML documents.

Tracked as CVE-2022-40303 and CVE-2022-40304, the two vulnerabilities could lead to remote code execution. Apple has credited Google Project Zero security researchers for both issues.

“A remote user may be able to cause unexpected app termination or arbitrary code execution,” Apple notes for both security flaws.

The first of the flaws exists because the lack of specific limitations could lead to integer overflows. According to Apple, improved input validation resolved the issue.

In case of the second vulnerability, in specific conditions, memory errors such as double-free bugs could emerge. Apple says that improved checks fixed the defect.

Apple addressed the flaws with the release of macOS Ventura 13.0.1 and iOS 16.1.1 and iPadOS 16.1.1 (for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th gen and later, and iPad mini 5th gen and later).

Apple has made no mention of any of the vulnerabilities being exploited in attacks.

However, proof-of-concept (PoC) code targeting CVE-2022-40303, as well as full technical details on CVE-2022-40304 have been published online, which explains why Apple rushed the fixes.

Related: Apple Rolls Out Xcode Update Patching Git Vulnerabilities

Related: Apple Fixes Exploited Zero-Day With iOS 16.1 Patch

Related: Apple Warns of macOS Kernel Zero-Day Exploitation

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.