November Vuln of the Month: CVE-2022-32893

Nov 8, 2022
Jerry Gamblin
Director of Security Research at Kenna Security

Share with Your Network

November’s Vuln of the Month spotlights our first-ever Apple platform vulnerability—one that may pose serious risks to organizations that haven’t directed users to update their iOS and MacOS versions. It’s under active attack, so this one is worth a look. 

CVE-2022-32893 is an out-of-bounds write vulnerability within WebKit, which is the web browser engine used by Safari and other iOS and MacOS apps. By crafting malicious web content, attackers can remotely execute arbitrary code.  

Our research shows that CVE-2022-32893 meets many of the criteria we look for in a vulnerability that could be exploited, including: 

  • Access complexity: Low 
  • Potential attack surface: Massive 
  • Exploitable remotely: Yes 
  • Authentication/privilege requirements: None 
  • Potential impact on availability: Complete 
  • Exploit code published: No 
  • Active exploits observed: Yes 
November Vuln of the Month 2022
November Vuln of the Month 2022

CVE-2022-32893 earns a Kenna Risk Score of 93, which means it represents a greater risk than 99% of all the CVEs we’ve scored. CVSS 3 also recognizes the risk assigning a base score of 8.8 (High). So make no mistake: This is a high-risk vuln. 

Why CVE-2022-32893 matters 

Apple has 1.8 billion active devices today—essentially an Apple device for one out of every four people on the planet. (That’s more than all Windows 10 and Windows 11 devices combined.) This makes the potential attack surface for this remote code execution vuln very broad indeed. In addition, many Apple devices fall into the BYOD camp, so IT and security staffs will need to work hard to impress upon users to make the upgrades needed to close this vuln. 

Bottom line 

For organizations whose employees use Apple devices to access corporate networks, apps and data, prompt mitigation should be a priority. Attackers have already exploited this vuln, and the fact that so many Apple devices are BYOD assets makes effective remediation more challenging than if corporate-owned Windows PCs were the target.  

Mitigation status 

Apple addressed this vulnerability in updates to its various current operating systems: iOS 15.6.1 and iPadOS 15.6.1, macOS Monterey 12.5.1, and Safari 15.6.1. Administrators that don’t have direct control over Apple assets should encourage users to update their Apple devices ASAP.  

Watch this space for regular Vuln of the Month spotlights, which appear on the second Tuesday of each month. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities, rather than headlines, thanks in part to our vulnerability intelligence powered by machine learning.

Read the Latest Content

Trending Vulns

October Vuln of the Month: CVE-2022-41040 and CVE-2022-41082

For October’s Vuln of the Month, we’ll feature two related CVEs, and explain why both are worth the attention of security teams. 
Trending Vulns

September Vuln of the Month: 2022 Round-Up Edition

September’s Vuln of the Month overviews the more interesting vulnerabilities from 2022.
Trending Vulns

August Vuln of the Month: CVE-2022-26138

The August Vuln of the Month, CVE-2022-26138, affects an Atlassian user support app for Confluence server with a simple backdoor password.

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.