skip to Main Content
the face of a building

Quick Take: This Week’s List of CISA Vulnerabilities Exposes Another Zero Day for Apple

Somewhat unusually, in less than a week, CISA added new entries to its Catalog of Known Exploited Vulnerabilities. One was added on Friday, February 11, 2022, and an additional nine were listed two business days later February 15, 2022.

Following the typical pattern, a strong plurality of the newly-listed vulnerabilities, four of the 10, were in Microsoft products. Vulnerabilities that could allow unwanted remote code execution exist in a strong majority of the new listings (8 out of 10) seem to be the standard of what’s getting added to the list.

Three of the newly listed vulnerabilities, including the February 11th listing, were so serious that vendor-updated corrections have to be installed within two weeks of the listing. The other seven all have until August 15, 2022, for the corrections to be due.

So what was the vulnerability disclosed in the February 11 listing that couldn’t wait for a couple of days to be listed with the other nine? It is a zero-day security vulnerability in Apple’s WebKit browser engine that led to the three OS updates being issued by Apple on February 17, 2022: iOS 15.3.1, iPadOS 15.3.1, and macOS Monterey 12.2.1.

This zero-day vulnerability could lead to arbitrary code execution and is the third zero-day patch by Apple this calendar year. It impacts all iPhone 6s and later, many iPad models, and Macs running macOS Monterey. As described by Apple, the fix was achieved by implementing better memory management.

These zero-day vulnerabilities have been a persistent problem for Apple. A September 2021 report by Citizen Lab showed that for a full eight-month period, a zero-day threat compromised iOS, macOS, and watchOS devices.

Click to rate this post!
[Total: 0 Average: 0]

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top