Headline
Apple Issues Updates for Older Devices to Fix Actively Exploited Vulnerability
Apple has backported fixes for a recently disclosed critical security flaw affecting older devices, citing evidence of active exploitation. The issue, tracked as CVE-2022-42856, is a type confusion vulnerability in the WebKit browser engine that could result in arbitrary code execution when processing maliciously crafted web content. While it was originally addressed by the company on November
Mobile Security / 0-Day Attack
Apple has backported fixes for a recently disclosed critical security flaw affecting older devices, citing evidence of active exploitation.
The issue, tracked as CVE-2022-42856, is a type confusion vulnerability in the WebKit browser engine that could result in arbitrary code execution when processing maliciously crafted web content.
While it was originally addressed by the company on November 30, 2022, as part of iOS 16.1.2 update, the patch was expanded to a broader set of Apple devices with iOS 15.7.2, iPadOS 15.7.2, macOS Ventura 13.1, tvOS 16.2, and Safari 16.2.
“Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1,” the iPhone maker said in an advisory published Monday.
To that end, the latest update, iOS 12.5.7, is available for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).
Clément Lecigne of Google’s Threat Analysis Group (TAG) has been credited with discovering the vulnerability, although exact specifics surrounding the exploitation attempts in the wild are currently unknown.
The update comes as Apple released iOS 16.3, iPadOS 16.3, macOS Ventura 13.2, watchOS 9.3, and Safari 16.3 to remediate a long list of security flaws, including two bugs in WebKit that could lead to code execution.
macOS Ventura 13.2 also plugs two denial-of-service vulnerabilities in ImageIO and Safari, alongside three flaws in the Kernel that could be abused to leak sensitive information , determine its memory layout, and execute rogue code with elevated privileges.
It’s not all bug fixes, though. The updates also bring with them the ability to use hardware security keys to lock down Apple IDs for phishing-resistant two-factor authentication. They also expand the availability of Advanced Data Protection outside of the U.S.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
Gentoo Linux Security Advisory 202305-32 - Multiple vulnerabilities have been found in WebkitGTK+, the worst of which could result in arbitrary code execution. Versions greater than or equal to 2.40.1 are affected.
Google TAG researchers reveal two campaigns against iOS, Android, and Chrome users that demonstrate how the commercial surveillance market is thriving despite government-imposed limits.
A number of zero-day vulnerabilities that were addressed last year were exploited by commercial spyware vendors to target Android and iOS devices, Google's Threat Analysis Group (TAG) has revealed. The two distinct campaigns were both limited and highly targeted, taking advantage of the patch gap between the release of a fix and when it was actually deployed on the targeted devices. "These
Apple on Monday rolled out security updates for iOS, iPadOS, macOS, and Safari to address a zero-day flaw that it said has been actively exploited in the wild. Tracked as CVE-2023-23529, the issue relates to a type confusion bug in the WebKit browser engine that could be activated when processing maliciously crafted web content, culminating in arbitrary code execution. The iPhone maker said the
Apple Security Advisory 2023-01-23-3 - iOS 12.5.7 addresses a code execution vulnerability.
Red Hat Security Advisory 2023-0021-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2023-0016-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.
An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-42856: webkitgtk: processing maliciously crafted web content may lead to an arbitrary code execution
An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-42856: webkitgtk: processing maliciously crafted web content may lead to an arbitrary code execution
Debian Linux Security Advisory 5309-1 - Vulnerabilities have been discovered in the WPE WebKit web engine. hazbinhotel discovered that processing maliciously crafted web content may result in the disclosure of process memory. KirtiKumar Anandrao Ramchandani discovered that processing maliciously crafted web content may bypass Same Origin Policy. Dohyun Lee and Ryan Shin discovered that processing maliciously crafted web content may disclose sensitive user information. Various other issues have also been addressed.
Plus: Patches for Apple iOS 16, Google Chrome, Windows 10, and more.
Apple Security Advisory 2022-12-13-4 - macOS Ventura 13.1 addresses bypass, code execution, out of bounds access, out of bounds write, spoofing, and use-after-free vulnerabilities.
Apple Security Advisory 2022-12-13-3 - iOS 16.1.2 addresses a code execution vulnerability.
Categories: Exploits and vulnerabilities Categories: News Tags: Apple Tags: iOS 16.1.2 Tags: Safari 16.2 Tags: CVE-2022-42856 Tags: type confusion Apple has released new security content for iOS 16.1.2 and Safari 16.2. to fix a zero-day security vulnerability that was actively exploited (Read more...) The post Update now! Apple patches active exploit vulnerability for iPhones appeared first on Malwarebytes Labs.
Apple on Tuesday rolled out security updates to iOS, iPadOS, macOS, tvOS, and Safari web browser to address a new zero-day vulnerability that could result in the execution of malicious code. Tracked as CVE-2022-42856, the issue has been described by the tech giant as a type confusion issue in the WebKit browser engine that could be triggered when processing specially crafted content, leading to