Dec 14, 2022Ravie Lakshmanan
Apple on Tuesday rolled out security updates to iOS, iPadOS,
macOS, tvOS, and Safari web browser to address a new zero-day
vulnerability that could result in the execution of malicious
code.
Tracked as CVE-2022-42856, the issue has been
described by the tech giant as a type confusion issue in the WebKit
browser engine that could be triggered when processing specially
crafted content, leading to arbitrary code execution.
The company said it’s “aware of a report that this issue may
have been actively exploited against versions of iOS released
before iOS 15.1.”
While details surrounding the exact nature of the attacks are
unknown as yet, it’s likely that it involved a case of social
engineering or a watering hole to infect the devices when visiting
a rogue or legitimate-but-compromised domain via the browser.
It’s worth noting that every third-party web browser that’s
available for iOS and iPadOS, including Google Chrome, Mozilla
Firefox, and Microsoft Edge, and others, is required[1]
to use the WebKit rendering engine due to restrictions imposed by
Apple.
Credited with discovering and reporting the issue is Clément
Lecigne of Google’s Threat Analysis Group (TAG). Apple noted it
addressed the bug with improved state handling.
The update, which is available with iOS 15.7.2, iPadOS
15.7.2[2], macOS Ventura
13.1[3], tvOS
16.2[4], and Safari
16.2[5], arrives two weeks after
Apple patched the same bug in iOS
16.1.2[6] on November 30,
2022.
The fix marks the resolution of the tenth zero-day vulnerability
discovered in Apple software since the start of the year. It’s also
the ninth actively exploited zero-day flaw in 2022 –
- CVE-2022-22587[7] (IOMobileFrameBuffer) –
A malicious application may be able to execute arbitrary code with
kernel privileges - CVE-2022-22594[8] (WebKit Storage) – A
website may be able to track sensitive user information (publicly
known but not actively exploited) - CVE-2022-22620[9] (WebKit) – Processing
maliciously crafted web content may lead to arbitrary code
execution - CVE-2022-22674[10] (Intel Graphics Driver)
– An application may be able to read kernel memory - CVE-2022-22675[11] (AppleAVD) – An
application may be able to execute arbitrary code with kernel
privileges - CVE-2022-32893[12] (WebKit) – Processing
maliciously crafted web content may lead to arbitrary code
execution - CVE-2022-32894[13] (Kernel) – An
application may be able to execute arbitrary code with kernel
privileges - CVE-2022-32917[14] (Kernel) – An
application may be able to execute arbitrary code with kernel
privileges - CVE-2022-42827[15] (Kernel) – An
application may be able to execute arbitrary code with kernel
privileges
The latest iOS, iPadOS[16], and macOS[17] updates also introduce
a new security feature called Advanced Data Protection for
iCloud[18] that expands end-to-end
encryption (E2EE) to iCloud Backup, Notes, Photos, and more.
Found this article interesting? Follow us on Twitter [19] and LinkedIn[20] to read more exclusive
content we post.
References
- ^
required
(www.macrumors.com) - ^
iOS
15.7.2, iPadOS 15.7.2 (support.apple.com) - ^
macOS
Ventura 13.1 (support.apple.com) - ^
tvOS
16.2 (support.apple.com) - ^
Safari
16.2 (support.apple.com) - ^
iOS
16.1.2 (support.apple.com) - ^
CVE-2022-22587
(thehackernews.com) - ^
CVE-2022-22594
(thehackernews.com) - ^
CVE-2022-22620
(thehackernews.com) - ^
CVE-2022-22674
(thehackernews.com) - ^
CVE-2022-22675
(thehackernews.com) - ^
CVE-2022-32893
(thehackernews.com) - ^
CVE-2022-32894
(thehackernews.com) - ^
CVE-2022-32917
(thehackernews.com) - ^
CVE-2022-42827
(thehackernews.com) - ^
iOS,
iPadOS (support.apple.com) - ^
macOS
(support.apple.com) - ^
Advanced Data Protection for
iCloud (thehackernews.com) - ^
Twitter
(twitter.com) - ^
LinkedIn
(www.linkedin.com)
Read more https://thehackernews.com/2022/12/new-actively-exploited-zero-day.html