Hackers attacking iPhones, iPads and Macs — update now

Apple iPhone SE (2022) color lineup on a red background
(Image credit: Apple)

Apple today (March 31) pushed out emergency security updates for iOS 15 and macOS 12 Monterey, fixing two zero-day security flaws that may already be in use by unspecified hackers.

If you're using an iPhone 6s, an original iPhone SE, or any later model of iPhone, or a Mac capable of running Monterey, update it now. The same applies to all models of the iPad Pro, the seventh-generation iPod Touch, the iPad Air 2 and later, the iPad Mini and later, and the fifth-generation iPad and later.

You'll want these devices to be updated to iOS 15.4.1,  iPadOS 15.4.1 or macOS Monterey12.3.1, all of which were released today. (Apple's watchOS and tvOS also got updates today, though apparently included no security patches.)

Your Apple device should let you know that an update is available. Otherwise, go into Settings > General > Software Update on an iPhone or iPad, or System Preferences > Software Update on a Mac.

Serious flaws that reach into the kernel

The Mac update fixes two security vulnerabilities. The first is catalogued as CVE-2022-22674 and involves a problem with the Intel graphics driver that allows an app to read kernel memory — the inner sanctum of the operating system. 

That ability could let an application steal passwords, digital verification signatures or all sorts of other secret information that modern operating systems use to keep things locked down.

The second vulnerability is catalogued as CVE-2022-22675 and is a flaw in the AppleAVD media decoder. It could make it possible for an application "to execute arbitrary code with kernel privileges," as Apple phrased it in its security advisory. 

That's pretty serious, because it's basically God mode — it means an app can do whatever it wants on your Mac, iPhone or iPad. 

CVE-2022-22675 also exists on iOS and iPadOS, and was the only vulnerability patched in today's updates on those platforms. Needless to say, it sounds just as severe on mobile devices as it does on Macs. 

(CVE stands for "common vulnerabilities and exposures" and is how the U.S. federal government designates information-security problems.)

Credit for notifying Apple of both flaws was given to "an anonymous researcher."

Who's behind these attacks?

In both cases, a malicious application has to get on your Mac, iPhone or iPad in the first place to carry out its dirty deeds, but that's not impossible if the app exploits a "zero-day" flaw that Apple isn't aware of until the malware has already been used.

And indeed, both these flaws get the disclaimer: "Apple is aware of a report that this issue may have been actively exploited." 

In other words, someone has already been using these vulnerabilities to attack Macs, iPhones and/or iPads. Apple isn't saying who, but odds are it's some nation-state going after political dissidents or another undesirable group. 

China has used iOS flaws in recent years to spy on Uyghur activists, and Middle Eastern petrostates have bought commercial iOS spyware to monitor dissidents and human-rights activists.

So are you at high risk of being attacked using these flaws? Probably not yet. 

But you should update your iDevices anyway, because as you read this, criminal hackers who are far less discriminating in whom they target are taking apart these Apple patches and trying to figure out how to exploit these vulnerabilities. It's only a matter of time before someone tries to use these flaws in widespread attacks.

In addition to addressing security vulnerabilities, the iOS 15.4.1 update also addresses a battery draining issue some users had reported since installing the original iOS 15.4 update.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.