Apple is urging macOS, iPhone, and iPad users to immediately install the respective updates this week. These updates include fixes for two zero-day vulnerabilities that are under active attack. Patches are available for devices running iOS 15.6.1 and macOS Monterey 12.5.1.

The patches address two flaws, which basically impact any Apple device that can run iOS 15 or the Monterey version of its desktop OS, according to security updates released by Apple on Wednesday.

One of the flaws is a kernel bug (CVE-2022-32894), present in both iOS and macOS. According to Apple, it is an “out-of-bounds write issue [that] was addressed with improved bounds checking.” The vulnerability allows an application to execute arbitrary code with kernel privileges, according to Apple, which, in usual vague fashion, said there is a report that it “may have been actively exploited.”

The second flaw is identified as a WebKit bug (tracked as CVE-2022-32893), which is an out-of-bounds write issue that Apple addressed with improved bounds checking. The flaw allows for processing maliciously crafted web content that can lead to code execution, and has also been reported to be under active exploit, according to Apple. WebKit is the browser engine that powers Safari and all other third-party browsers that work on iOS.

The discovery of both flaws, about which little more beyond Apple’s disclosure is known, was credited to an anonymous researcher. One expert expressed worry that the latest Apple flaws “could effectively give attackers full access to device,” and that they might create a Pegasus-like scenario, similar to the one in which nation-state APTs (Advanced Persistent Threats) barraged targets with spyware made by the Israeli NSO Group by exploiting an iPhone vulnerability.

Rachel Tobac, the CEO of SocialProof Security, tweeted: “For most folks: update software by end of day.” Tobac warned: “If threat model is elevated (journalist, activist, targeted by nation states, etc): update now.”

The flaws were unveiled alongside other news from Google this week that it was patching its fifth zero-day so far this year for its Chrome browser, an arbitrary code execution bug under active attack. The news of even more vulnerabilities from top tech vendors being barraged by threat actors demonstrates that despite the best efforts from top-tier tech companies to address perennial security issues in their software, it remains an uphill battle, noted Andrew Whaley, senior technical director at Promon, a Norwegian app security company.

Whaley observed that the flaws in iOS are especially worrying, given the ubiquity of iPhones and users’ utter reliance on mobile devices for their daily lives.

“While we all rely on our mobile devices, they are not invulnerable, and as users we need to maintain our guard just like we do on desktop operating systems,” he said in an email to Threatpost. At the same time, developers of apps for iPhones and other mobile devices also should add an extra layer of security controls in their technology so they are less reliant on OS security for protection, given the flaws that frequently crop up, Whaley observed.

“Our experience shows that this is not happening enough, potentially leaving banking and other customers vulnerable,” he said.