Apple on Monday released iOS 16 and macOS Monterey 12.6, both of which contain a number of new features, along with numerous important security fixes. The update for Monterey includes a patch for a kernel vulnerability that Apple noted has been exploited in the wild.
That flaw (CVE-2022-32917) could allow an attacker to execute arbitrary code with kernel-level privileges, and it is also patched in the new release of macOS Big Sur 11.7. The same flaw was patched in iOS 16, but Apple did not note any active exploitation against it on iOS devices. This is the fifth actively exploited zero day that Apple has fixed in macOS. Last month, the company released an update for macOS Monterey that included patches for two distinct vulnerabilities–one in WebKit and the other in the kernel.
There is another zero day (CVE-2022-32894) patched in Big Sur that's not present in Monterey, and has been actively exploited against Big Sur machines.
Monterey 12.6 brings with it several other security fixes, including a patch for another kernel vulnerability that could allow an app to run arbitrary code with kernel privileges. A third kernel flaw could enable an app to disclose kernel memory.
In iOS 16, Apple fixed 11 vulnerabilities, four of which can lead to remote code execution.
It has been a bumpy year for many major vendors when it comes to zero days exploited in the wild. In addition to the five macOS flaws Apple has dealt with, there have been three in iOS, and two in WebKit. Microsoft and Google have also had their fair share of zero days in 2022, as has Mozilla. But with less than three months left in the year, it’s unlikely that the count will surpass 2021, when there were 59 zero days detected in the wild.