Headline
Update now! Apple patches active exploit vulnerability for iPhones
Categories: Exploits and vulnerabilities Categories: News Tags: Apple
Tags: iOS 16.1.2
Tags: Safari 16.2
Tags: CVE-2022-42856
Tags: type confusion
Apple has released new security content for iOS 16.1.2 and Safari 16.2. to fix a zero-day security vulnerability that was actively exploited
(Read more…)
The post Update now! Apple patches active exploit vulnerability for iPhones appeared first on Malwarebytes Labs.
Posted: December 16, 2022 by
Apple has released new security content for iOS 16.1.2 and Safari 16.2. Normally we would say that Apple pushed out updates, but in this mysterious case the advisory is about an iPhone software update Apple released two weeks ago. As it turns out, to fix a zero-day security vulnerability that was actively exploited.
Mitigation
The updates should all have reached you in your regular update routines, but it doesn’t hurt to check if your device is at the latest update level.
How to update your iPhone or iPad.
How to update macOS on Mac.
If you fear your Mac has been infected, try out Malwarebytes for Mac. Or Malwarebytes for iOS for your Apple devices.
Since the vulnerability we’ll discuss below is already being exploited, it’s important that you update your devices as soon as you can.
CVE-2022-42856
Apple revealed that it is aware that threat actors are actively exploiting the vulnerability listed as CVE-2022-42856. The bug was found in WebKit which is Apple’s web rendering engine. In other words, WebKit is the browser engine that powers Safari and other apps. So, it’s no surprise that you will find the same CVE number in the Safari security advisory, along with a list of others.
Apple says the impact of the vulnerability is that processing maliciously crafted web content may lead to arbitrary code execution. The underlying issue was what is called a “type confusion” issue, which was addressed with improved state handling.
Type confusion vulnerabilities are programming flaws that happen when a piece of code doesn’t verify the type of object that is passed to it before using it. Type confusion can allow an attacker to feed function pointers or data into the wrong piece of code. In some cases, this can lead to code execution.
Another clue was given when Apple revealed that security researchers at Google’s Threat Analysis Group, which investigates nation state-backed spyware, hacking, and cyberattacks, discovered and reported the WebKit bug. That might give you an idea about who was using the exploit in the wild.
Version confusion
What remains a mystery is why Apple specifically stated that this issue may have been actively exploited against versions of iOS released before iOS 15.1.
We asked our resident Apple expert Thomas Reed why, then, did iOS 16 users get an update and iOS 15 users didn’t?
He pointed out the fact that Apple recently documented that security fixes may only apply to the latest system, and may not be back-ported to older systems. This has always been the case, but it wasn’t documented, leaving users guessing about what was going on.
“Still, Apple has been known to back-port fixes when they’re aware of active attacks on an older system, so I doubt it’s just a matter of falling back on a disclaimer. That suggests to me that there’s some difficulty involved. I don’t know exactly what changed in WebKit between iOS 15 and 16, but there were definitely a lot of Safari-related changes in iOS 16, so it’s entirely possible there’s some kind of architectural change standing in the way of back-porting.”
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
RELATED ARTICLES
Related news
Gentoo Linux Security Advisory 202305-32 - Multiple vulnerabilities have been found in WebkitGTK+, the worst of which could result in arbitrary code execution. Versions greater than or equal to 2.40.1 are affected.
By Habiba Rashid Google's Threat Analysis Group (TAG) labeled the spyware campaign as limited but highly targeted. This is a post from HackRead.com Read the original post: Google reveals spyware attack on Android, iOS, and Chrome
Apple on Monday rolled out security updates for iOS, iPadOS, macOS, and Safari to address a zero-day flaw that it said has been actively exploited in the wild. Tracked as CVE-2023-23529, the issue relates to a type confusion bug in the WebKit browser engine that could be activated when processing maliciously crafted web content, culminating in arbitrary code execution. The iPhone maker said the
Apple has backported fixes for a recently disclosed critical security flaw affecting older devices, citing evidence of active exploitation. The issue, tracked as CVE-2022-42856, is a type confusion vulnerability in the WebKit browser engine that could result in arbitrary code execution when processing maliciously crafted web content. While it was originally addressed by the company on November
Categories: Apple Categories: Exploits and vulnerabilities Categories: News Tags: iOS 12.5.7 Tags: CVE-2022-42856 Tags: type confusion Tags: WebKit Apple has now released security content for iOS 12.5.7 which includes a patch for an actively exploited vulnerability in WebKit and many other updates. (Read more...) The post Own an older iPhone? Check you're on the latest version to avoid this bug appeared first on Malwarebytes Labs.
Red Hat Security Advisory 2023-0021-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2023-0016-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.
An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-42856: webkitgtk: processing maliciously crafted web content may lead to an arbitrary code execution
Debian Linux Security Advisory 5309-1 - Vulnerabilities have been discovered in the WPE WebKit web engine. hazbinhotel discovered that processing maliciously crafted web content may result in the disclosure of process memory. KirtiKumar Anandrao Ramchandani discovered that processing maliciously crafted web content may bypass Same Origin Policy. Dohyun Lee and Ryan Shin discovered that processing maliciously crafted web content may disclose sensitive user information. Various other issues have also been addressed.
Debian Linux Security Advisory 5308-1 - Vulnerabilities have been discovered in the WebKitGTK web engine. hazbinhotel discovered that processing maliciously crafted web content may result in the disclosure of process memory. Maddie Stone discovered that processing maliciously crafted web content may lead to arbitrary code execution. KirtiKumar Anandrao Ramchandani discovered that processing maliciously crafted web content may bypass Same Origin Policy. Multiple other issues were also addressed.
Plus: Patches for Apple iOS 16, Google Chrome, Windows 10, and more.
Apple Security Advisory 2022-12-13-9 - Safari 16.2 addresses bypass, code execution, and use-after-free vulnerabilities.
Apple Security Advisory 2022-12-13-7 - tvOS 16.2 addresses bypass, code execution, integer overflow, out of bounds write, spoofing, and use-after-free vulnerabilities.
Apple Security Advisory 2022-12-13-4 - macOS Ventura 13.1 addresses bypass, code execution, out of bounds access, out of bounds write, spoofing, and use-after-free vulnerabilities.
Apple Security Advisory 2022-12-13-3 - iOS 16.1.2 addresses a code execution vulnerability.
Apple Security Advisory 2022-12-13-2 - iOS 15.7.2 and iPadOS 15.7.2 addresses bypass, code execution, integer overflow, out of bounds write, and spoofing vulnerabilities.
The issue was addressed with improved bounds checks. This issue is fixed in iOS 16.2 and iPadOS 16.2, macOS Ventura 13.1, tvOS 16.2. Connecting to a malicious NFS server may lead to arbitrary code execution with kernel privileges.
A memory corruption issue was addressed with improved input validation. This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. Processing maliciously crafted web content may lead to arbitrary code execution.
Apple on Tuesday rolled out security updates to iOS, iPadOS, macOS, tvOS, and Safari web browser to address a new zero-day vulnerability that could result in the execution of malicious code. Tracked as CVE-2022-42856, the issue has been described by the tech giant as a type confusion issue in the WebKit browser engine that could be triggered when processing specially crafted content, leading to