Apple security update fixes new iOS zero-day used to hack iPhones
Reading Time: 3 Minutes
In security updates released today, Apple has fixed the tenth zero-day vulnerability since the start of the year, with this latest one actively used in attacks against iPhones.
The vulnerability was disclosed in security bulletins released today for iOS/iPadOS 15.7.2, Safari 16.2, tvOS 16.2, and macOS Ventura 13.1, with Apple warning that the flaw “may have been actively exploited” against previous versions.
The bug (CVE-2022-42856) is a type confusion issue in Apple’s Webkit web browser browsing engine.
The flaw was discovered by Clément Lecigne of Google’s Threat Analysis Group, allowing maliciously crafted web content to perform arbitrary code execution on a vulnerable device.
Arbitrary code execution could allow the malicious site to execute commands in the operating system, deploy additional malware or spyware, or perform other malicious actions.
Apple addressed the zero-day vulnerability with improved state handling for the following devices iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
See Also: So you want to be a hacker?
Complete Offensive Security and Ethical Hacking Course
Patch your iPhones, iPads, and macOS Ventura
While Apple has disclosed that threat actors actively exploited the vulnerability, they have yet to provide any details on the attacks.
However, as the vulnerability was discovered by Clément Lecigne of Google’s Threat Intelligence Team, we will likely learn more in a future blog post.
This delay in providing details is commonly done to allow users to patch their devices before other threat actors analyze the fixes and develop their own exploits.
Even though this zero-day flaw was likely used in highly-targeted attacks, it is still suggested to install today’s security updates as soon as possible.
Trending: Offensive Security Tool: Pycrypt
This is the tenth zero-day fixed by Apple since the start of the year:
- In October, Apple fixed a zero-day in the iOS Kernel (CVE-2022-42827).
- In September, Apple addressed a flaw in the iOS Kernel (CVE-2022-32917).
- In August, it fixed two more zero-days in the iOS Kernel (CVE-2022-32894) and WebKit (CVE-2022-32893)
- In March, Apple patched two zero-day in the Intel Graphics Driver (CVE-2022-22674) and AppleAVD (CVE-2022-22675).
- In February, Apple released security updates to address another WebKit zero-day bug exploited to target iPhones, iPads, and Macs.
- In January, Apple patched another pair of zero-days allowing code execution with kernel privileges (CVE-2022-22587) and web browsing activity tracking (CVE-2022-22594).
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
