Apple's expanding footprint in enterprise organizations appears to have made its technologies a growing focus area for security researchers.
The company this week rushed out emergency patches for two zero-day vulnerabilities in its macOS and IOS technologies that the company said are being actively exploited. The flaws are present in macOS Catalina, BigSur, and Monterey; in devices running iOS and iPadOS; and Apple tvOS and watchOS.
One of the two zero-days for which Apple issued an update this week exists in the AppleAVD media file decoder that is present in multiple supported macOS versions as well as iOS and iPadOS. Apple's sparse vulnerability disclosure described the flaw (CVE-2022-22675) as resulting from an out of bounds write issue and providing attackers with an opportunity to execute arbitrary code at the kernel level. Apple said it is aware of a report about the flaw being actively exploited.
Apple's latest macOS Monterey 12.3.1, iOS 15.4.1, and iPadOS 15.4.1 includes "improved bounds checking" to address the issue, the company noted.
The second zero-day for which Apple issued a fix (CVE-2022-22674) exists in macOS and has to do with an out-of-bounds read issue that enables application to read kernel memory. The flaw, which also is being actively exploited, might lead to the contents of kernel memory being disclosed, Apple said in another advisory with very little information.
The flaws are the latest in a growing number of zero-day vulnerabilities that researchers have discovered in Apple's products in recent months. The latest disclosures bring to at least four the total number of zero-days that Apple has disclosed this year alone. In January, the company disclosed two similar zero-days, at least one of which was likely being exploited at the time of patch release.
In 2021, as many as 12 of 57 zero-day threats — or more than 20% — that researchers from Google's Project Zero tracked were Apple related. Impacted technologies included Apple's macOS, iOS, iPadOS, and WebKit. In several cases, the flaws were being actively exploited by the time Apple had released a fix for them.
Exacerbating the issue is the emergence of malware targeted at Mac and iOS environments. A study of Apple malware in 2021 that security researcher Patrick Wardle released in Jan. 2022 showed there were at least eight significant malware tools last year that targeted macOS. The list included ElectroRAT, a cross-platform malware for remote code execution; Silver Sparrow, targeted at Apple's M1 chip-based systems; and MacMa, a macOS implant believed to be the work of a nation-state actor.
Growing Focus Area
One reason for the growing number of flaws could be increasing code complexity, says Mike Parkin, senior technical engineer at Vulcan Cyber. As code gets more complex, there's a higher chance of vulnerabilities creeping into it. "Apple's iOS and MacOS code bases have been evolving for years, growing more complex, so it would not be surprising to see more vulnerabilities emerge."
Another likely possibility is that threat actors are seeing greater returns from attacking the Apple ecosystem, Parkin says. "There are millions of iOS and MacOS users in the world, and the attackers will focus on where they can get the most mileage out of their efforts," he says.
A global survey that Dimensional Research conducted last year for Apple device management vendor Kandji found that employee use of Apple devices has grown significantly over the past two years, at least partly because of increased remote work. Seventy-six percent of survey respondents said more employees at their organizations were using Apple devices — Mac notebooks specifically — compared to two years ago.
"Threat actors aren't going to abandon other threat surfaces, but their economics may have shifted to make the Apple space more inviting," Parkin says.