Apple patches actively exploited zero-day in WebKit
The use-after-free vulnerability could enable an attacker to run arbitrary code execution on vulnerable devices
Apple has released security updates to address a new zero-day bug in its WebKit browser engine that is allowing threat actors to execute arbitrary code to compromise iPads, iPhones, and MacOS devices.
In a description of the security vulnerability, the company said that it was aware of a report that this bug may have been actively exploited by threat actors.
The zero-day patched by Apple is indexed as CVE-2022-22620. It is a use-after-free vulnerability in WebKit which could enable attackers to run arbitrary code execution after processing maliciously crafted web content on devices vulnerable versions of iPadOS and iOS. The issue can also cause unexpected OS crashes.
"Simply put, the most likely attack scenario is an infection of an iPhone or iPad device after visiting a malicious web page," the researchers at cyber security firm Kaspersky noted in a blog post.
Use-after-free vulnerabilities stem from incorrect use of dynamic memory in applications.
WebKit, where the CVE-2022-22620 exists, is the browser engine which powers Safari browser across all Apple devices. In fact, this open source engine is used by all browsers for iPadOS and iOS, that is, not just the iPhone's default Safari, but also Mozilla Firefox, Google Chrome and any others. As a result, even if a person does not use Safari, they are still affected by the vulnerability.
Apple says it fixed the issue by implementing better memory management in iPadOS 15.3.1, iOS 15.3.1, and macOS Monterey 12.2.1.
The security weakness affects numerous Apple devices, including:
- iPhone 6s and later
- All iPad Pro model
- iPad Air 2 and later
- iPad 5th generation and later
- iPad mini 4 and later
- iPod touch (7th generation)
- Notebooks and desktops running macOS Monterey
The issue was discovered and reported by an anonymous researcher, according to Apple.
The company did not disclose other details of the security weakness, as is typical for the company, and is not expected to do that until the investigation is completed.
According to Kaspersky, most users should have the fixes installed by now. However, for devices that aren't yet displaying that the update is ready to install, Kaspersky recommends verifying the availability of software updates in system settings (Settings -> General -> Software update).
Last month, Apple addressed a security weakness in Safari web browser that enabled attackers to steal information about a user's recent browsing history, and even some details of their logged-in accounts, like Google ID.
The vulnerability, which was uncovered by FingerprintJS researchers, stemmed from an issue with Apple's implementation of a JavaScript API called IndexedDB, which is part of Apple's WebKit.
Beyond the Safari web browsing bug, Apple iOS 15.3 addressed a few other security issues, some of which had already been exploited by malicious actors.
Earlier in October, Apple released iOS 15.0.2 and iPadOS 15.0.2 to address a zero-day bug (CVE-2021-30883) that it said was being exploited in the wild.
And one month prior to that, the iPhone maker released a suite of new updates for iOS, watchOs and macOS to fix a critical bug that security researchers said was exploited by spyware to spy on a Saudi activist.