Apple on Tuesday published 10 new advisories describing vulnerabilities affecting its products, including a zero-day that has been exploited against iPhone users.
Apple announced on November 30 that an advisory for iOS 16.1.2 would be released in the coming days. The advisory was published two weeks later, on Patch Tuesday, and it’s unclear why the tech giant waited for so long to make the information public.
According to the company, the flaw, tracked as CVE-2022-42856, is a type confusion affecting the WebKit browser engine. An attacker can exploit the vulnerability for arbitrary code execution by getting the targeted user to access a specially crafted website.
“Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1,” the company said in its advisory.
Clément Lecigne of Google’s Threat Analysis Group has been credited for reporting the vulnerability to Apple. While no information has been released about the attacks leveraging CVE-2022-42856, Google typically tracks exploits used by sophisticated state-sponsored threat actors or commercial spyware vendors.
While it appears that CVE-2022-42856 has only been used against iPhone users, Apple has also patched the vulnerability with the release of macOS Ventura 13.1, tvOS 16.2, and Safari 16.2. iOS and iPadOS 15.7.2 also include fixes for the bug.
macOS Ventura 13.1 patches a total of 36 vulnerabilities that can lead to arbitrary code execution, sensitive information disclosure, security bypass, spoofing, or a denial-of-service (DoS) condition. macOS Big Sur 11.7.2 resolves 10 vulnerabilities, and macOS Monterey 12.6.2 fixes over a dozen issues.
A total of 35 flaws have been fixed with the release of iOS and iPadOS 16.2, and 17 security holes with the release of iOS and iPadOS 15.7.2.
WatchOS 9.2 addresses 25 vulnerabilities, and tvOS 16.2 addresses 28 issues. Since these operating systems are based on iOS, most of these are flaws shared among all operating systems.
Safari 16.2 patches 10 flaws and iCloud for Windows 14.1 fixes three issues — all affecting WebKit.
Additional information is available on Apple’s security updates page
Related: Apple Fixes Exploited Zero-Day With iOS 16.1 Patch
Related: Apple Patches ‘Actively Exploited’ iOS Security Flaw
Related: iOS 12 Update for Older iPhones Patches Exploited Vulnerability
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
