Apple has released an update to address an actively exploited zero-day vulnerability in WebKit. Tracked as CVE-2022-42856, this is a type confusion vulnerability that could allow arbitrary code execution on a vulnerable device.
Clément Lecigne of Google’s Threat Analysis Group has discovered this vulnerability. The advisory says, “This issue may have been actively exploited against versions of iOS released before iOS 15.1.”
Webkit is a fast open-source web browser engine used by Safari, Mail, App Store, and many other apps on macOS, iOS, and Linux.
This is the tenth zero-day fixed by Apple this year. The zero-days fixed by Apple earlier in 2022 are as follows:
- CVE-2022-22587 (IOMobileFrameBuffer) and CVE-2022-22594 (WebKit Storage), in January 2022
- CVE-2022-22620 (WebKit), in February 2022
- CVE-2022-22674 (Intel Graphics Driver) and CVE-2022-22675 (AppleAVD), in March 2022
- CVE-2022-32893 (WebKit) and CVE-2022-32894 (iOS Kernel), in August 2022
- CVE-2022-32917 (iOS Kernel), in September 2022
- CVE-2022-42827 (iOS Kernel), in October 2022
The vulnerability affects the web browser engine Webkit. Webkit flaws can be exploited in two ways:
- Using in-app browser
- Visiting a malicious domain
On successful exploitation, this vulnerability may lead to arbitrary code execution by processing maliciously crafted web content.
- iPhone 8 and later
- iPad Air 2 and later
- iPad mini 4 and later
- iPad Pro (all models)
- iPhone 7 (all models)
- iPhone 6s (all models)
- iPhone SE (1st generation)
- iPod touch (7th generation)
- iPad 5th generation and later
To patch the vulnerability, customers are requested to upgrade to the latest versions of iOS 16.1.2, Apple Safari 16.2, iOS 15.7.2, and iPadOS 15.7.2.
For more information, please visit the Apple security advisories HT213516, HT213531, and HT213537.
Qualys customers can scan their devices with QIDs 610457, 610455, 610458, and 377830 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.