Apple has backported security patches fixing a remotely exploitable zero-day vulnerability for older iPhones and iPads.

This bug is tracked as CVE-2022-42856and it stems from a type confusion weakness in Apple’s Webkit web browser browsing engine.

Apple said the flaw discovered by Clément Lecigne of Google’s Threat Analysis Group allows maliciously crafted web pages to execute arbitrary code (and likely access sensitive information) on vulnerable devices.

Attackers can successfully exploit this flaw by tricking their targets into visiting a maliciously crafted website under their control.

Once achieved, executing arbitrary code could allow them to execute commands on the underlying operating system, deploy additional malware or spyware payloads, or trigger other malicious activity .

In a security consulting released today, Apple again said it is aware of reports that this security flaw “may have been actively exploited”.

The company fixed the zero-day bug by improving the state management of the following devices: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).

Secure old devices to block attacks

Although Apple has disclosed that it has received reports of active exploitation, the company has yet to release information regarding these attacks.

By withholding this information, Apple is likely aiming to allow as many users as possible to patch their devices before other attackers discover zero-day details and start rolling out custom exploits targeting vulnerable iPhones and iPads.

Even though this security flaw has probably only been used in targeted attacks, it is still highly recommended to install today’s security updates as soon as possible to block potential attack attempts.

CISA added day zero to its list of known exploited vulnerabilities December 14causing Federal Civilian Executive Branch (FCEB) agencies to fix it to protect them “against active threats”.

Today Apple also patched dozens of other security vulnerabilities in its Safari web browser and its latest macOS, iOS and watchOS versions.