New Actively Exploited Zero-Day Vulnerability Discovered in Apple Products

New Actively Exploited Zero-Day Vulnerability Discovered in Apple Products

On Tuesday, Apple released security patches for the Safari web browser, iOS, iPadOS, macOS, and tvOS to fix a brand-new zero-day vulnerability that could lead to the execution of malicious code.

The problem, identified as CVE-2022-42856, is a type confusion flaw in the WebKit browser engine that might be triggered while processing specially designed information and result in arbitrary code execution, according to the tech giant.

ALSO, READ Hackers Actively Exploiting Citrix ADC and Gateway Zero-Day Vulnerability

“Aware of a report that this issue may have been aggressively exploited against versions of iOS published before iOS 15.1,” the company stated.

Although specifics about the assaults’ nature are still unknown, it’s likely that they utilized some form of social engineering or watering hole to infect the devices when users visited a malicious or legitimate-but-compromised domain through their browsers.

New Actively Exploited Zero-Day Vulnerability Discovered in Apple Products

It’s important to note that due to limitations set by Apple, every third-party web browser that is available for iOS and iPadOS, including Google Chrome, Mozilla Firefox, and Microsoft Edge, among others, must use the WebKit rendering engine.

ALSO, READ Serious Attacks Could Have Been Staged Through This Amazon ECR Public Gallery Vulnerability

Credited with discovering and reporting the issue is Clément Lecigne of Google’s Threat Analysis Group (TAG). Apple noted it addressed the bug with improved state handling.

The update, which is available with iOS 15.7.2, iPadOS 15.7.2, macOS Ventura 13.1, tvOS 16.2, and Safari 16.2, arrives two weeks after Apple patched the same bug in iOS 16.1.2 on November 30, 2022.

The fix marks the resolution of the tenth zero-day vulnerability discovered in Apple software since the start of the year. It’s also the ninth actively exploited zero-day flaw in 2022 –

• CVE-2022-22587 (IOMobileFrameBuffer) – A malicious application may be able to execute arbitrary code with kernel privileges
• CVE-2022-22594 (WebKit Storage) – A website may be able to track sensitive user information (publicly known but not actively exploited)
• CVE-2022-22620 (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution
• CVE-2022-22674 (Intel Graphics Driver) – An application may be able to read kernel memory
• CVE-2022-22675 (AppleAVD) – An application may be able to execute arbitrary code with kernel privileges
  

  New Actively Exploited Zero-Day Vulnerability Discovered in Apple Products
  

• CVE-2022-32893 (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution
• CVE-2022-32894 (Kernel) – An application may be able to execute arbitrary code with kernel privileges
• CVE-2022-32917 (Kernel) – An application may be able to execute arbitrary code with kernel privileges
• CVE-2022-42827 (Kernel) – An application may be able to execute arbitrary code with kernel privileges

The latest iOS, iPadOS, and macOS updates also introduce a new security feature called Advanced Data Protection for iCloud that expands end-to-end encryption (E2EE) to ‌iCloud‌ Backup, Notes, Photos, and more.