Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

iOS 12 Update for Older iPhones Patches Exploited Vulnerability

Apple on Wednesday started shipping patches for older iPhone and iPad devices to address a recent, actively exploited vulnerability.

Tracked as CVE-2022-32893, the vulnerability impacts WebKit and it can be exploited to achieve arbitrary code execution when the user visits a malicious website.

Apple on Wednesday started shipping patches for older iPhone and iPad devices to address a recent, actively exploited vulnerability.

Tracked as CVE-2022-32893, the vulnerability impacts WebKit and it can be exploited to achieve arbitrary code execution when the user visits a malicious website.

“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited,” Apple notes in an advisory.

The security flaw was resolved with the release of iOS 12.5.6, which is now rolling out to iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).

The Cupertino-based company, which has credited an anonymous researcher for reporting the vulnerability, shipped the initial batch of patches for this zero-day roughly two weeks ago.

A second zero-day addressed at the time (with iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1) could lead to arbitrary code execution with kernel privileges. Tracked as CVE-2022-32894, the bug does not impact iOS 12, Apple says.

The tech giant describes both CVE-2022-32893 and CVE-2022-32894 as out-of-bounds write flaws that were resolved with improved bounds checking.

Apple did not share details on the exploitation of these vulnerabilities.

Someone has been offering to sell an exploit for CVE-2022-32893 and an additional iOS zero-day for $2.5 million, but their claims cannot be verified.

Related: Apple Patches New macOS, iOS Zero-Days

Related: Apple Ships Urgent Security Patches for macOS, iOS

Related: Chrome 105 Patches Critical, High-Severity Vulnerabilities

Related: Cisco Patches High-Severity Vulnerabilities in Business Switches

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.