Apple Pushes Emergency Fixes for Two Flaws Already Being Used to Attack iPhones and Macs
Two previously unknown security holes — one in the heart of Apple's operating system, one in its browser engine — are being actively exploited. Every iPhone, iPad, and Mac owner should update today.

Key points
- Apple released emergency security updates on Wednesday, August 17, 2022, covering iOS 15.6.1 and macOS Monterey 12.5.1.
- CVE-2022-32894, a flaw in the kernel — the core software that controls everything a device does — lets a malicious app take full control of an iPhone, iPad, or Mac.
- CVE-2022-32893, a flaw in WebKit — the software engine that powers Safari and every other browser on iOS — lets a booby-trapped webpage silently run harmful code on a device.
- Both flaws were reported to Apple by an anonymous researcher and confirmed to be under active attack at the time of disclosure.
- Security researcher Rachel Tobac, CEO of SocialProof Security, advised journalists, activists, and anyone who may be targeted by governments to update immediately.
Apple rarely uses the word "urgent." This week it did.
The company pushed out back-to-back patches for iPhones, iPads, and Macs after confirming that criminals or state-sponsored hackers — it would not say which — had already found and weaponised two separate software flaws. Both fixes landed Wednesday. Both should already be on your device.
The first hole, catalogued as CVE-2022-32894, sits inside the kernel — think of the kernel as the building's boiler room, the low-level software that every other program on the device depends on. A flaw there is about as bad as it gets. An attacker who exploits it can run any code they like with full, unrestricted access to the device. Apple described it clinically as an "out-of-bounds write," meaning the software was writing data into memory regions it was never supposed to touch.
The second flaw, CVE-2022-32893, lives in WebKit, the browser engine underneath Safari and every third-party browser on iOS. Visit the wrong webpage — one crafted to exploit this bug — and an attacker can run code on your phone without you doing anything else. No download required. No password to steal.
Could this be used to spy on ordinary people?
Yes, potentially. Security experts noted that the two flaws combined could give an attacker the same depth of access that made Pegasus infamous — Pegasus being the commercial spyware built by Israeli firm NSO Group, which governments used to silently monitor journalists and activists by exploiting similar iPhone vulnerabilities. An anonymous researcher discovered both flaws, and Apple would not identify who is currently using them in attacks.
The failure mode here is familiar. A high-value target — a journalist, a dissident, an executive — loads a webpage or opens an app. No warning appears. The device is owned.
For most people the risk is lower, but "lower" is not "zero." One thing the post-mortem will say about any future incident tied to these CVEs is that the patch was available and free.
In practice, the fix is simple: go to Settings, tap General, then Software Update. Install iOS 15.6.1 if you are on an iPhone or iPad. Install macOS Monterey 12.5.1 on your Mac. Do it before the end of the day.
If you work in journalism, activism, law, or any field where powerful people might want to read your messages, do it now.
This story was originally reported by Threatpost.
Operational takeaway: Automatic updates exist for exactly this reason — turn them on and stop relying on memory.



