In security updates released today, Apple patched the tenth zero-day vulnerability since the start of the year, the latter being actively used in attacks against iPhones.
The vulnerability was disclosed in security bulletins released today for iOS/iPadOS 15.7.2, Safari 16.2, tvOS 16.2 and macOS Ventura 13.1, with Apple warning that the flaw “may have been actively exploited” over previous versions.
The insect (CVE-2022-42856) is a type confusion issue in Apple’s Webkit web browser browsing engine.
The flaw was discovered by Clément Lecigne of Google’s Threat Analysis Group, allowing maliciously crafted web content to execute arbitrary code on a vulnerable device.
Executing arbitrary code could allow the malicious site to execute commands in the operating system, deploy additional malware or spyware, or perform other malicious actions.
Apple has addressed the zero-day vulnerability by improving the state management of the following devices: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models) , iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
Patch your iPhones, iPads and macOS Ventura
Although Apple disclosed that threat actors were actively exploiting the vulnerability, they have yet to provide details about the attacks.
However, since the vulnerability was discovered by Clément Lecigne of Google’s Threat Intelligence team, we’ll likely learn more about it in an upcoming blog post.
This delay in providing details is usually done to allow users to patch their devices before other threat actors analyze the patches and develop their own exploits.
Even though this zero-day flaw has probably been used in highly targeted attacks, it is still suggested to install today’s security updates as soon as possible.
This is the tenth zero-day set by Apple since the beginning of the year: