Jump to content
  • Apple fixes actively exploited iOS zero-day on older iPhones, iPads

    alf9872000

    • 450 views
    • 2 minutes
     Share


    • 450 views
    • 2 minutes

    Apple has backported security patches addressing a remotely exploitable zero-day vulnerability to older iPhones and iPads.

     

    This bug is tracked as CVE-2022-42856, and it stems from a type confusion weakness in Apple's Webkit web browser browsing engine.

     

    Apple said that the flaw discovered by Clément Lecigne of Google's Threat Analysis Group allows maliciously crafted webpages to perform arbitrary code execution (and likely gain access to sensitive information) on vulnerable devices.

     

    Attackers can successfully exploit this flaw by tricking their targets into visiting a maliciously crafted website under their control.

     

    Once achieved, arbitrary code execution could allow them to execute commands on the underlying operating system, deploy additional malware or spyware payloads, or trigger other malicious activity.

     

    In a security advisory published today, Apple once again said that they're aware of reports that this security flaw "may have been actively exploited."

     

    The company addressed the zero-day bug with improved state handling for the following devices: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).

    Secure older devices to block attacks

    Although Apple disclosed that it received reports of active exploitation, the company is yet to publish info regarding these attacks.

     

    By withholding this info, Apple is likely aiming to allow as many users as possible to patch their devices before other attackers pick up on the zero-day's details and start deploying custom exploits targeting vulnerable iPhones and iPads.

     

    Even though this security flaw was most likely only used in targeted attacks, it's still strongly recommended to install today's security updates as soon as possible to block potential attack attempts.

     

    CISA added the zero-day to its list of known exploited vulnerabilities on December 14, requiring Federal Civilian Executive Branch (FCEB) agencies to patch it to secure them "against active threats."

     

    Today, Apple also patched dozens of other security flaws in its Safari web browser and its latest macOS, iOS, and watchOS versions.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...