As well as other manufacturers, Apple released updates to its products this week. Among other things, developers fixed the tenth zero-day vulnerability this year, and it is known that the new bug was actively used in attacks on iPhone users.
The fresh 0-day appears in security bulletins released for iOS/iPadOS 15.7.2, Safari 16.2, tvOS 16.2, and macOS Ventura 13.1, with Apple experts warning that the vulnerability “could be actively exploited” by hackers. No details about the attacks or the bug itself have been reported so far, as the company is giving users more time to install patches.
The problem, which was discovered by Google Threat Analysis Group experts, has an identifier of CVE-2022-42856 and is a type confusion vulnerability in the Webkit engine. Essentially, the bug allowed arbitrary code to be executed on a vulnerable device via malicious web content. Attackers were able to execute commands in the operating system, deploy additional spyware or malware, and perform other malicious activities.
Apple has removed 0-day on the following devices: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (first generation), iPad Pro (all models), iPad Air 2 and later, iPad fifth generation and later, iPad mini 4 and later, and iPod touch (seventh generation).