Apple has released a patch addressing CVE-2022-42856, a vulnerability in Apple’s Webkit browser engine. Discovered by Clément Lecigne of Google’s Threat Analysis Group, the bug would allow a threat actor to craft a custom webpage containing exploit code that would infect any user who visits the page. Access in this way could allow an attacker to gather information such as messages, emails, and contacts. In addition, the attacker is able to execute commands on the device’s underlying operating system to load additional malware, or harvest additional information from the victim device.
Apple has addressed this vulnerability in the following devices:
- Phone 5s
- iPhone 6
- iPhone 6 Plus
- iPad Air
- iPad mini
- iPad mini 3
- iPod touch (6th generation)
While Apple has expressed that they have received reports of the active exploitation of this vulnerability in the wild, they remain tight lipped about details regarding any of said attacks.
Analyst Notes
The latest versions of the Safari browser, macOS, iOS, and watchOS address several recently discovered vulnerabilities. Not only does Binary Defense recommend that users upgrade their Apple devices to the latest software versions, but the Cybersecurity and Infrastructure Security Agency (CISA) has issued a notice for Federal Civilian Executive Branch (FCEB) agencies to patch their devices to secure them “against active threats.”
https://www.bleepingcomputer.com/news/apple/apple-fixes-actively-exploited-ios-zero-day-on-older-iphones-ipads/
https://support.apple.com/en-us/HT213597
