Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

iOS 12 Update for Older iPhones Patches Exploited Vulnerability

Apple on Wednesday started shipping patches for older iPhone and iPad devices to address a recent, actively exploited vulnerability.

Tracked as CVE-2022-32893, the vulnerability impacts WebKit and it can be exploited to achieve arbitrary code execution when the user visits a malicious website.

Apple on Wednesday started shipping patches for older iPhone and iPad devices to address a recent, actively exploited vulnerability.

Tracked as CVE-2022-32893, the vulnerability impacts WebKit and it can be exploited to achieve arbitrary code execution when the user visits a malicious website.

“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited,” Apple notes in an advisory.

The security flaw was resolved with the release of iOS 12.5.6, which is now rolling out to iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).

The Cupertino-based company, which has credited an anonymous researcher for reporting the vulnerability, shipped the initial batch of patches for this zero-day roughly two weeks ago.

A second zero-day addressed at the time (with iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1) could lead to arbitrary code execution with kernel privileges. Tracked as CVE-2022-32894, the bug does not impact iOS 12, Apple says.

The tech giant describes both CVE-2022-32893 and CVE-2022-32894 as out-of-bounds write flaws that were resolved with improved bounds checking.

Advertisement. Scroll to continue reading.

Apple did not share details on the exploitation of these vulnerabilities.

Someone has been offering to sell an exploit for CVE-2022-32893 and an additional iOS zero-day for $2.5 million, but their claims cannot be verified.

Related: Apple Patches New macOS, iOS Zero-Days

Related: Apple Ships Urgent Security Patches for macOS, iOS

Related: Chrome 105 Patches Critical, High-Severity Vulnerabilities

Related: Cisco Patches High-Severity Vulnerabilities in Business Switches

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.