Apple New Webkit Zero-day Flaw Used Actively Used in Attacks Against iPhones

Apple has patched its tenth zero-day vulnerability since the beginning of the year, with the most recent one being actively utilized in attacks against iPhones.

Furthermore, Apple said that the bug “may have been actively exploited” against older versions in security bulletins published today for iOS/iPadOS 15.7.2, Safari 16.2, tvOS 16.2, and macOS Ventura 13.1.

According to the reports, the update patched a bug in WebKit, the browser engine that powers Safari and other apps. If exploited, the bug may have allowed malicious code to run on the user’s device. The vendor has only one day to address the vulnerability.

CVE-2022-42856 – A Type Confusion Issue

Type confusion is a flaw in Apple’s Webkit web browser browsing engine tracked as (CVE-2022-42856).

“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1”, according to Apple.

Clément Lecigne of Google’s Threat Analysis Group found the vulnerability, which enables maliciously created web content to executing arbitrary code on a susceptible device.

Hence, arbitrary code execution could allow the malicious site to run commands in the operating system, install more spyware or malware, or carry out other malicious deeds.

Patch for the Zero-day Vulnerability

A type of confusion issue was addressed with improved state handling. Apple fixed the zero-day vulnerability for the following devices: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (first generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch ((7th generation).

While Apple has confirmed that threat actors actively exploited the vulnerability, no further information on the assaults has been released.

Since the beginning of the year, Apple has resolved ten zero-day vulnerabilities:

• Apple addressed a zero-day in the iOS Kernel in October (CVE-2022-42827).
• Apple fixed a bug in the iOS Kernel in September (CVE-2022-32917).
• In August, it fixed two more zero-days in the iOS Kernel (CVE-2022-32894) and WebKit (CVE-2022-32893)
• In March, Apple patched two zero-day in the Intel Graphics Driver (CVE-2022-22674) and AppleAVD (CVE-2022-22675).
• In February, Apple released security updates to address another WebKit zero-day bug exploited to target iPhones, iPads, and Macs.
• In January, Apple fixed another pair of zero-days allowing code execution with kernel privileges (CVE-2022-22587) and web browsing activity tracking (CVE-2022-22594).

Hence, it is advised to install today’s security patches as soon as possible, despite the fact that this zero-day weakness was probably utilized in highly-targeted attacks.

Penetration Testing As a Service – Download Red Team & Blue Team Workspace