Apple Patches Actively Exploited Zero-day Vulnerability in iOS and iPadOS (CVE-2022-42856)

Apple has released an update to address an actively exploited zero-day vulnerability in WebKit. Tracked as CVE-2022-42856, this is a type confusion vulnerability that could allow arbitrary code execution on a vulnerable device. 
 
Clément Lecigne of Google’s Threat Analysis Group has discovered this vulnerability. The advisory says, “This issue may have been actively exploited against versions of iOS released before iOS 15.1.” 
 
Webkit is a fast open-source web browser engine used by Safari, Mail, App Store, and many other apps on macOS, iOS, and Linux.  
 
This is the tenth zero-day fixed by Apple this year. The zero-days fixed by Apple earlier in 2022 are as follows: 

Description 
The vulnerability affects the web browser engine Webkit. Webkit flaws can be exploited in two ways: 

  1. Using in-app browser
  2. Visiting a malicious domain

On successful exploitation, this vulnerability may lead to arbitrary code execution by processing maliciously crafted web content. 
 
Affected versions  

  • iPhone 8 and later 
  • iPad Air 2 and later 
  • iPad mini 4 and later 
  • iPad Pro (all models) 
  • iPhone 7 (all models) 
  • iPhone 6s (all models) 
  • iPhone SE (1st generation) 
  • iPod touch (7th generation) 
  • iPad 5th generation and later

Mitigation  
To patch the vulnerability, customers are requested to upgrade to the latest versions of iOS 16.1.2, Apple Safari 16.2, iOS 15.7.2, and iPadOS 15.7.2. 
 
For more information, please visit the Apple security advisories HT213516, HT213531, and HT213537. 
  
Qualys Detection  
Qualys customers can scan their devices with QIDs 610457, 610455, 610458, and 377830 to detect vulnerable assets.  
  
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.  
  
References 
https://support.apple.com/en-in/HT213516  
https://support.apple.com/en-in/HT213531  
https://support.apple.com/en-us/HT213537  

Leave a Reply

Your email address will not be published. Required fields are marked *