Apple issues fix for ‘actively exploited’ WebKit zero-day vulnerability

Apple has revealed that its recent software update fixed a critical zero-day vulnerability used in attacks against iPhone users.

In a security bulletin issued for iOS, iPadOS, Safari, tvOS and macOS Ventura, Apple said the update fixed a critical flaw in the 16.1.2 patch which affected WebKit.

WebKit is used to power the Safari web browser and a host of other apps.

IOS 16.1.2 was rolled out to users on 30th November and saw the introduction of new security tools, including the Advanced Data Protection for iCloud feature, which allows end-to-end encryption for iCloud backups.

In the initial update notes, Apple said this also included “important security updates”.

Security disclosure

According to details in this recent disclosure, Apple described the flaw as a “type confusion issue” in the WebKit engine.

This means that threat actors could use malicious web content to insert code on a user device, insert malware or spyware, or execute malicious OS commands.

Apple warned that it is aware of reports that the issue “may have been actively exploited” against versions of iOS released before the 15.1 update in October.

As such, the tech giant advised users to install the recent security update as soon as possible.

Tom Davison, senior director of Engineering International at Lookout told IT Pro that the recent vulnerabilities raise concerns for businesses, with organisations increasingly relying on mobile devices in daily operations.

“The news of these recently patched zero-day vulnerabilities in iOS should not be a surprise. We have already seen several examples of this in 2022, with 15.3, 15.6.1, and 16.1 all introducing fixes to critical vulnerabilities alleged to have been exploited in the wild,” he said.

“The real concern lies with business. Mobile devices are now an integral part of the employee toolkit. Sensitive data freely flows between the organisation and employee phones. It is absolutely imperative that enterprises take this into account,” Davison added.

WebKit Vulnerabilities

WebKit vulnerabilities have been frequently targeted by threat actors as a means to access device operating systems and exfiltrate sensitive data. This particular method can also be used to exploit other device vulnerabilities.

The WebKit bug, tracked as CVE-2022-42856, was discovered and subsequently disclosed by Clément Lecigne at Google’s Threat Analysis Group.

Additional information from the group on this discovery is yet to be revealed.

Zero-day fixes

This latest update marks the 10th zero-day vulnerability fix issued by Apple in 2022. In February, Apple security updates addressed another WebKit-based zero-day bug which had been used to target iPhone, iPad and Mac users.

September also saw a raft of updates issued to affect critical vulnerabilities, including four code-execution flaws and one serious zero-day affecting iOS and iPadOS.

Tracked as CVE-2022-32917, the flaw enabled hackers to executive arbitrary code with kernel privileges.

Just one month later, Apple released an additional update which once again included patches for iOS and iPadOS due to an actively exploited zero-day.

The vulnerability was caused by an out-of-bounds write error in the kernel, which could be used by threat actors to execute malicious code.