The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a significant security threat, adding a high-severity flaw to its Known Exploited Vulnerabilities catalog. This flaw affects multiple Apple platforms, including iOS, iPadOS, macOS, tvOS, and watchOS, and is tracked as CVE-2022-48618 with a CVSS score of 7.8. The vulnerability resides in the kernel component, enabling attackers with arbitrary read and write capability to potentially bypass Pointer Authentication. Apple acknowledged the issue in an advisory, stating that it might have been exploited in versions of iOS released before iOS 15.7.1. Despite patches being released on December 13, 2022, the public disclosure only occurred more than a year later, on January 9, 2024.
Apple’s response to the CVE-2022-48618 vulnerability involved implementing improved checks to address the problem. However, the exact methods of exploitation in real-world attacks remain unknown. Intriguingly, the patches were made available with the release of iOS 16.2, iPadOS 16.2, macOS Ventura 13.1, tvOS 16.2, and watchOS 9.2, marking a proactive approach by Apple to address the issue. Notably, Apple had previously addressed a similar kernel flaw (CVE-2022-32844, CVSS score: 6.3) in iOS 15.6 and iPadOS 15.6 on July 20, 2022, by enhancing state management related to arbitrary kernel read and write capabilities. Despite this, the delay in public disclosure of the recent vulnerability raises questions about the timeline and communication surrounding critical security issues.
In response to the active exploitation of CVE-2022-48618, CISA has urged Federal Civilian Executive Branch (FCEB) agencies to apply the provided fixes by February 21, 2024. The urgency emphasizes the severity of the threat and the need for swift action to secure systems and data. This development coincides with Apple’s efforts to address another exploited security flaw in the WebKit browser engine (CVE-2024-23222, CVSS score: 8.8). The company expanded patches for this vulnerability, extending coverage to include its Apple Vision Pro headset and providing the fix in visionOS 1.0.2. These collective efforts underscore the ongoing challenges in maintaining digital security in the face of evolving threats and the importance of timely mitigation strategies.