Apple Issues Updates for Older Devices to Fix Actively Exploited Vulnerability

News

Jan 24, 2023Ravie LakshmananMobile Security / 0-Day Attack

Apple has backported fixes for a recently disclosed critical security flaw affecting older devices, citing evidence of active exploitation.

The issue, tracked as CVE-2022-42856, is a type confusion vulnerability in the WebKit browser engine that could result in arbitrary code execution when processing maliciously crafted web content.

While it was originally addressed by the company on November 30, 2022, as part of iOS 16.1.2 update, the patch was expanded to a broader set of Apple devices with iOS 15.7.2, iPadOS 15.7.2, macOS Ventura 13.1, tvOS 16.2, and Safari 16.2.

“Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1,” the iPhone maker said in an advisory published Monday.

To that end, the latest update, iOS 12.5.7, is available for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).

Clément Lecigne of Google’s Threat Analysis Group (TAG) has been credited with discovering the vulnerability, although exact specifics surrounding the exploitation attempts in the wild are currently unknown.

The update comes as Apple released iOS 16.3, iPadOS 16.3, macOS Ventura 13.2, watchOS 9.3, and Safari 16.3 to remediate a long list of security flaws, including two bugs in WebKit that could lead to code execution.

macOS Ventura 13.2 also plugs two denial-of-service vulnerabilities in ImageIO and Safari, alongside three flaws in the Kernel that could be abused to leak sensitive information , determine its memory layout, and execute rogue code with elevated privileges.

It’s not all bug fixes, though. The updates also bring with them the ability to use hardware security keys to lock down Apple IDs for phishing-resistant two-factor authentication. They also expand the availability of Advanced Data Protection outside of the U.S.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Products You May Like

Articles You May Like

Google Warns of Rising Cloaking Scams, AI-Driven Fraud, and Crypto Schemes
Life on a crooked RedLine: Analyzing the infamous infostealer’s backend
THN Recap: Top Cybersecurity Threats, Tools, and Practices (Nov 04 – Nov 10)
Free Decryptor Released for BitLocker-Based ShrinkLocker Ransomware Victims
Palo Alto Advises Securing PAN-OS Interface Amid Potential RCE Threat Concerns

Leave a Reply

Your email address will not be published. Required fields are marked *