Apple on Tuesday rolled out safety updates to iOS, iPadOS, macOS, tvOS, and Safari net browser to deal with a brand new zero-day vulnerability that might end result within the execution of malicious code.
Tracked as CVE-2022-42856, the difficulty has been described by the tech big as a sort confusion difficulty within the WebKit browser engine that might be triggered when processing specifically crafted content material, resulting in arbitrary code execution.
The corporate mentioned it is “conscious of a report that this difficulty might have been actively exploited towards variations of iOS launched earlier than iOS 15.1.”
Whereas particulars surrounding the precise nature of the assaults are unknown as but, it is seemingly that it concerned a case of social engineering or a watering gap to contaminate the gadgets when visiting a rogue or legitimate-but-compromised area by way of the browser.
It is value noting that each third-party net browser that is obtainable for iOS and iPadOS, together with Google Chrome, Mozilla Firefox, and Microsoft Edge, and others, is required to make use of the WebKit rendering engine resulting from restrictions imposed by Apple.
Credited with discovering and reporting the difficulty is Clément Lecigne of Google’s Risk Evaluation Group (TAG). Apple famous it addressed the bug with improved state dealing with.
The replace, which is on the market with iOS 15.7.2, iPadOS 15.7.2, macOS Ventura 13.1, tvOS 16.2, and Safari 16.2, arrives two weeks after Apple patched the identical bug in iOS 16.1.2 on November 30, 2022.
The repair marks the decision of the tenth zero-day vulnerability found in Apple software program because the begin of the yr. It is also the ninth actively exploited zero-day flaw in 2022 –
- CVE-2022-22587 (IOMobileFrameBuffer) – A malicious utility might be able to execute arbitrary code with kernel privileges
- CVE-2022-22594 (WebKit Storage) – An internet site might be able to observe delicate consumer info (publicly recognized however not actively exploited)
- CVE-2022-22620 (WebKit) – Processing maliciously crafted net content material might result in arbitrary code execution
- CVE-2022-22674 (Intel Graphics Driver) – An utility might be able to learn kernel reminiscence
- CVE-2022-22675 (AppleAVD) – An utility might be able to execute arbitrary code with kernel privileges
- CVE-2022-32893 (WebKit) – Processing maliciously crafted net content material might result in arbitrary code execution
- CVE-2022-32894 (Kernel) – An utility might be able to execute arbitrary code with kernel privileges
- CVE-2022-32917 (Kernel) – An utility might be able to execute arbitrary code with kernel privileges
- CVE-2022-42827 (Kernel) – An utility might be able to execute arbitrary code with kernel privileges
The newest iOS, iPadOS, and macOS updates additionally introduce a brand new safety function known as Superior Knowledge Safety for iCloud that expands end-to-end encryption (E2EE) to iCloud Backup, Notes, Images, and extra.