Apple on Tuesday rolled out safety updates to iOS, iPadOS, macOS, tvOS, and Safari internet browser to deal with a brand new zero-day vulnerability that might consequence within the execution of malicious code.
Tracked as CVE-2022-42856, the difficulty has been described by the tech big as a kind confusion problem within the WebKit browser engine that could possibly be triggered when processing specifically crafted content material, resulting in arbitrary code execution.
The corporate stated it is “conscious of a report that this problem might have been actively exploited in opposition to variations of iOS launched earlier than iOS 15.1.”
Whereas particulars surrounding the precise nature of the assaults are unknown as but, it is probably that it concerned a case of social engineering or a watering gap to contaminate the gadgets when visiting a rogue or legitimate-but-compromised area through the browser.
It is value noting that each third-party internet browser that is obtainable for iOS and iPadOS, together with Google Chrome, Mozilla Firefox, and Microsoft Edge, and others, is required to make use of the WebKit rendering engine on account of restrictions imposed by Apple.
Credited with discovering and reporting the difficulty is Clément Lecigne of Google’s Risk Evaluation Group (TAG). Apple famous it addressed the bug with improved state dealing with.
The replace, which is on the market with iOS 15.7.2, iPadOS 15.7.2, macOS Ventura 13.1, tvOS 16.2, and Safari 16.2, arrives two weeks after Apple patched the identical bug in iOS 16.1.2 on November 30, 2022.
The repair marks the decision of the tenth zero-day vulnerability found in Apple software program because the begin of the yr. It is also the ninth actively exploited zero-day flaw in 2022 –
- CVE-2022-22587 (IOMobileFrameBuffer) – A malicious utility might be able to execute arbitrary code with kernel privileges
- CVE-2022-22594 (WebKit Storage) – An internet site might be able to observe delicate consumer info (publicly recognized however not actively exploited)
- CVE-2022-22620 (WebKit) – Processing maliciously crafted internet content material might result in arbitrary code execution
- CVE-2022-22674 (Intel Graphics Driver) – An utility might be able to learn kernel reminiscence
- CVE-2022-22675 (AppleAVD) – An utility might be able to execute arbitrary code with kernel privileges
- CVE-2022-32893 (WebKit) – Processing maliciously crafted internet content material might result in arbitrary code execution
- CVE-2022-32894 (Kernel) – An utility might be able to execute arbitrary code with kernel privileges
- CVE-2022-32917 (Kernel) – An utility might be able to execute arbitrary code with kernel privileges
- CVE-2022-42827 (Kernel) – An utility might be able to execute arbitrary code with kernel privileges
The newest iOS, iPadOS, and macOS updates additionally introduce a brand new safety function referred to as Superior Knowledge Safety for iCloud that expands end-to-end encryption (E2EE) to iCloud Backup, Notes, Pictures, and extra.
