Apple has released a fix to a dangerous security flaw that could have allowed threat actors to completely take over older versions of the iPhone and the iPad.
The flaw was apparently being used in the wild, but Apple is not sharing any details on exact incidents until the majority of the endpoints (opens in new tab) apply the patch.
The patch addresses a confusion weakness vulnerability in Apple’s Webkit web browser engine. It’s tracked as CVE-2022-42856 and allows threat actors to run arbitrary code on target devices which, in theory, could also give them access to the entire device. It was given a severity score of 8.8 – “High”.
In late 2022, Apple fixed it for Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.1.2. Now, it expanded the patch’s reach to a wider set of vulnerable device series, including iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).
Apple says there are reports of the flaw being “actively exploited” in the wild, but doesn’t want to share any details as it might prompt more threat actors to try and abuse it. The media are saying the CVE is most likely used in “targeted attacks” only, but that shouldn’t mean regular consumers shouldn’t rush to apply the patch.
The fix comes as part of a wider patching event, in which Apple fixed dozens of security flaws found in both its Safari web browser, and the latest iterations of macOS, iOS, and watchOS devices. However, it seems as the CVE-2022-42856 is the only fixed vulnerability being actively exploited in the wild.
We expect Apple to release the details on how crooks were taking advantage of the flaw, and if any malware, infostealers, or trojans, were included.
Via: BleepingComputer (opens in new tab)