On Apple’s devices, arbitrary code execution is possible due to WebKit and kernel flaws.

18th amendment, 3:45 pm: In order to address the WebKit vulnerability resolved in macOS Monterey yesterday, Apple has made the Safari 15.6.1 upgrade available for macOS Big Sur and Catalina. We still don’t know if the kernel vulnerability exists in any of these outdated operating systems, but we’ll let you know if Apple gets back to us.

Original story: Apple has patched three security flaws in its operating systems that it claims “may have been actively exploited.” The upgrades for macOS 12.5.1, iOS 15.6.1, and iPadOS 15.6.1 are now available for download and installation.

The identical pair of issues are fixed by all three releases. One is a kernel flaw with the identification CVE-2022-32894 that enables programmes to “run arbitrary code with kernel privileges. The second vulnerability, CVE-2022-32893, affects WebKit and permits arbitrary code execution through “maliciously constructed online content.” The credit for both findings goes to an unnamed security researcher. The Safari browser and other programmes like Mail that use Apple’s WebViews for content rendering and display employ WebKit.

For macOS Catalina and Big Sur, two older versions of macOS that continue to get monthly security upgrades, Apple didn’t issue corresponding security patches. We reached out to Apple to ask if it intended to make these patches available for these earlier operating systems or if they weren’t impacted by the issues and didn’t require a patch.

There are no other repairs or improvements included in Apple’s software release notes for the updates. These updates—iOS 16, iPadOS 16, and macOS Ventura—will launch later this fall and are currently being worked on by Apple.