Apple has issued emergency security updates for iPhones, iPads, and Macs to address two critical zero-day vulnerabilities. The company confirmed that both flaws may have been actively exploited in the wild, prompting security experts to urge users to install the patches immediately.

The updates, released as iOS 15.6.1 and macOS Monterey 12.5.1, are available for any device capable of running iOS 15 or the Monterey version of the desktop operating system. The vulnerabilities could allow attackers to execute arbitrary code and gain complete control over an affected device.

The Two Zero-Day Vulnerabilities

The first flaw, tracked as CVE-2022-32894, is an out-of-bounds write issue within the kernel, the core of the operating system. According to Apple, this vulnerability could allow a malicious application to execute code with the highest level of privileges (kernel privileges). This flaw impacts both iOS and macOS devices.

The second vulnerability, CVE-2022-32893, resides in WebKit, the browser engine that powers Safari and all third-party browsers on iOS. This is also an out-of-bounds write issue, which can be triggered when a device processes maliciously crafted web content. A successful exploit could lead to arbitrary code execution. Discovery of both vulnerabilities was credited to an anonymous researcher.

Expert Warnings and Recommendations

Cybersecurity experts have expressed significant concern, warning that these flaws could give attackers full access to a user’s device, drawing comparisons to the powerful Pegasus spyware. Rachel Tobac, CEO of SocialProof Security, advised the general public to update their software by the end of the day. For high-risk individuals such as journalists, activists, or those targeted by nation-states, she stressed the need to “update now.”

This incident highlights the ongoing challenge major tech companies face in securing their software. The responsibility, however, also falls on users to remain vigilant and apply security patches as soon as they become available to protect their personal data and privacy from ever-present threats.