Apple has released a security update for iOS 12.5.6 to patch a remotely exploitable WebKit vulnerability that allows attackers to execute arbitrary code on unpatched devices.
The WebKit zero-day that is known as CVE-2022-32893 was fixed for iOS 15.6.1, iPadOS 15.6, and macOS Monterey 12.5.1 on August 17, and for Safari in macOS Big Sur and macOS Catalina on August 18. This update applies to older devices running iOS 12.
Technically this is not a zero-day, because by definition a zero-day is a software vulnerability previously unknown to those who should be interested in fixing it, like the vendor of the target. And since this vulnerability has been known for weeks it is no longer considered a zero-day, although users of older Apple OS versions were unable to install a patch for this vulnerability until now.
CVE-2022-32893 is an out-of-bounds write issue that was addressed with improved bounds checking. Processing maliciously crafted web content may lead to arbitrary code execution. An attacker could lure a potential victim to a specially crafted website or use malvertising to compromise a vulnerable system by exploiting this vulnerability. The vulnerability exists in Apple’s HTML rendering software, WebKit, which powers all iOS web browsers and Safari, so possible targets are iPhones, iPads, and Macs which could all be tricked into running unauthorized code.
Apple has already said it’s aware of a report that the issue may have been actively exploited.
Apple mentions in the security update for CVE-2022-32893 that iOS 12 is not impacted by CVE-2022-32894. As we mentioned in our blog about the two actively exploited zero-days it seems likely that these vulnerabilities were found in an active attack that chained the two vulnerabilities together. The attack could, for example, be done in the form of a watering hole or as part of an exploit kit. CVE-2022-32893 could be exploited for initial code to be run, and this code could be used to leverage CVE-2022-32894 to obtain kernel privileges. This does not mean the WebKit vulneraility can do no harm on devices that are not vulnerable to CVE-2022-32894, as it could be chained with another vulnerability to obtain higher privileges,
Other than the information that the exploit has been used in the wild, Apple has not released any specifics about the vulnerability. The vulnerabilities are on the CISA list of vulnerabilities to be patched by September 8.
Owners of an iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, or iPod touch (6th generation) can use the update function on the device or use iTunes to update the software to iOS 12.5.6.
Stay safe, everyone!