Apple has released new security content for iOS 16.1.2 and Safari 16.2. Normally we would say that Apple pushed out updates, but in this mysterious case the advisory is about an iPhone software update Apple released two weeks ago. As it turns out, to fix a zero-day security vulnerability that was actively exploited.
Mitigation
The updates should all have reached you in your regular update routines, but it doesn’t hurt to check if your device is at the latest update level.
How to update your iPhone or iPad.
If you fear your Mac has been infected, try out Malwarebytes for Mac. Or Malwarebytes for iOS for your Apple devices.
Since the vulnerability we’ll discuss below is already being exploited, it’s important that you update your devices as soon as you can.
CVE-2022-42856
Apple revealed that it is aware that threat actors are actively exploiting the vulnerability listed as CVE-2022-42856. The bug was found in WebKit which is Apple’s web rendering engine. In other words, WebKit is the browser engine that powers Safari and other apps. So, it’s no surprise that you will find the same CVE number in the Safari security advisory, along with a list of others.
Apple says the impact of the vulnerability is that processing maliciously crafted web content may lead to arbitrary code execution. The underlying issue was what is called a “type confusion” issue, which was addressed with improved state handling.
Type confusion vulnerabilities are programming flaws that happen when a piece of code doesn’t verify the type of object that is passed to it before using it. Type confusion can allow an attacker to feed function pointers or data into the wrong piece of code. In some cases, this can lead to code execution.
Another clue was given when Apple revealed that security researchers at Google’s Threat Analysis Group, which investigates nation state-backed spyware, hacking, and cyberattacks, discovered and reported the WebKit bug. That might give you an idea about who was using the exploit in the wild.
Version confusion
What remains a mystery is why Apple specifically stated that this issue may have been actively exploited against versions of iOS released before iOS 15.1.
We asked our resident Apple expert Thomas Reed why, then, did iOS 16 users get an update and iOS 15 users didn’t?
He pointed out the fact that Apple recently documented that security fixes may only apply to the latest system, and may not be back-ported to older systems. This has always been the case, but it wasn’t documented, leaving users guessing about what was going on.
“Still, Apple has been known to back-port fixes when they’re aware of active attacks on an older system, so I doubt it’s just a matter of falling back on a disclaimer. That suggests to me that there’s some difficulty involved. I don’t know exactly what changed in WebKit between iOS 15 and 16, but there were definitely a lot of Safari-related changes in iOS 16, so it’s entirely possible there’s some kind of architectural change standing in the way of back-porting.”
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.