Apple on Tuesday rolled out safety updates to iOS, iPadOS, macOS, tvOS, and Safari internet browser to deal with a brand new zero-day vulnerability that would end result within the execution of malicious code.
Tracked as CVE-2022-42856, the problem has been described by the tech big as a kind confusion problem within the WebKit browser engine that might be triggered when processing specifically crafted content material, resulting in arbitrary code execution.
The corporate stated it is “conscious of a report that this problem might have been actively exploited towards variations of iOS launched earlier than iOS 15.1.”
Whereas particulars surrounding the precise nature of the assaults are unknown as but, it is doubtless that it concerned a case of social engineering or a watering gap to contaminate the gadgets when visiting a rogue or legitimate-but-compromised area by way of the browser.
It is value noting that each third-party internet browser that is obtainable for iOS and iPadOS, together with Google Chrome, Mozilla Firefox, and Microsoft Edge, and others, is required to make use of the WebKit rendering engine resulting from restrictions imposed by Apple.
Credited with discovering and reporting the problem is Clément Lecigne of Google’s Risk Evaluation Group (TAG). Apple famous it addressed the bug with improved state dealing with.
The replace, which is out there with iOS 15.7.2, iPadOS 15.7.2, macOS Ventura 13.1, tvOS 16.2, and Safari 16.2, arrives two weeks after Apple patched the identical bug in iOS 16.1.2 on November 30, 2022.
The repair marks the decision of the tenth zero-day vulnerability found in Apple software program because the begin of the 12 months. It is also the ninth actively exploited zero-day flaw in 2022 –
- CVE-2022-22587 (IOMobileFrameBuffer) – A malicious software could possibly execute arbitrary code with kernel privileges
- CVE-2022-22594 (WebKit Storage) – A web site could possibly monitor delicate person info (publicly recognized however not actively exploited)
- CVE-2022-22620 (WebKit) – Processing maliciously crafted internet content material might result in arbitrary code execution
- CVE-2022-22674 (Intel Graphics Driver) – An software could possibly learn kernel reminiscence
- CVE-2022-22675 (AppleAVD) – An software could possibly execute arbitrary code with kernel privileges
- CVE-2022-32893 (WebKit) – Processing maliciously crafted internet content material might result in arbitrary code execution
- CVE-2022-32894 (Kernel) – An software could possibly execute arbitrary code with kernel privileges
- CVE-2022-32917 (Kernel) – An software could possibly execute arbitrary code with kernel privileges
- CVE-2022-42827 (Kernel) – An software could possibly execute arbitrary code with kernel privileges
The newest iOS, iPadOS, and macOS updates additionally introduce a brand new safety function referred to as Advanced Data Protection for iCloud that expands end-to-end encryption (E2EE) to iCloud Backup, Notes, Images, and extra.