IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Apple issues fix for ‘actively exploited’ WebKit zero-day vulnerability

The update marks the 10th fix for zero-day vulnerabilities this year

Apple has revealed that its recent software update fixed a critical zero-day vulnerability used in attacks against iPhone users.

In a security bulletin issued for iOS, iPadOS, Safari, tvOS and macOS Ventura, Apple said the update fixed a critical flaw in the 16.1.2 patch which affected WebKit.

WebKit is used to power the Safari web browser and a host of other apps.

IOS 16.1.2 was rolled out to users on 30th November and saw the introduction of new security tools, including the Advanced Data Protection for iCloud feature, which allows end-to-end encryption for iCloud backups.

In the initial update notes, Apple said this also included “important security updates”.

Security disclosure

According to details in this recent disclosure, Apple described the flaw as a “type confusion issue” in the WebKit engine.

This means that threat actors could use malicious web content to insert code on a user device, insert malware or spyware, or execute malicious OS commands.

Apple warned that it is aware of reports that the issue “may have been actively exploited” against versions of iOS released before the 15.1 update in October.

As such, the tech giant advised users to install the recent security update as soon as possible.

Tom Davison, senior director of Engineering International at Lookout told IT Pro that the recent vulnerabilities raise concerns for businesses, with organisations increasingly relying on mobile devices in daily operations.

“The news of these recently patched zero-day vulnerabilities in iOS should not be a surprise. We have already seen several examples of this in 2022, with 15.3, 15.6.1, and 16.1 all introducing fixes to critical vulnerabilities alleged to have been exploited in the wild,” he said.

“The real concern lies with business. Mobile devices are now an integral part of the employee toolkit. Sensitive data freely flows between the organisation and employee phones. It is absolutely imperative that enterprises take this into account,” Davison added.

WebKit Vulnerabilities

WebKit vulnerabilities have been frequently targeted by threat actors as a means to access device operating systems and exfiltrate sensitive data. This particular method can also be used to exploit other device vulnerabilities.

The WebKit bug, tracked as CVE-2022-42856, was discovered and subsequently disclosed by Clément Lecigne at Google’s Threat Analysis Group.

Additional information from the group on this discovery is yet to be revealed.

Zero-day fixes

Related Resource

Technology Ecosystem benchmark report

The evolution of the IT industry

Whitepaper cover with dark background image of a pin in a map over EuropeFree Download

This latest update marks the 10th zero-day vulnerability fix issued by Apple in 2022. In February, Apple security updates addressed another WebKit-based zero-day bug which had been used to target iPhone, iPad and Mac users.

September also saw a raft of updates issued to affect critical vulnerabilities, including four code-execution flaws and one serious zero-day affecting iOS and iPadOS.

Tracked as CVE-2022-32917, the flaw enabled hackers to executive arbitrary code with kernel privileges.

Just one month later, Apple released an additional update which once again included patches for iOS and iPadOS due to an actively exploited zero-day.

The vulnerability was caused by an out-of-bounds write error in the kernel, which could be used by threat actors to execute malicious code.

Featured Resources

2023 Strategic roadmap for data security platform convergence

Capitalise on your data and share it securely using consolidated platforms

Free Download

The 3D trends report

Presenting one of the most exciting frontiers in visual culture

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

Leverage automated APM to accelerate CI/CD and boost application performance

Constant change to meet fast-evolving application functionality

Free Download

Recommended

Apple issues patch for macOS security bypass vulnerability
Security

Apple issues patch for macOS security bypass vulnerability

20 Dec 2022
Apple steps up user security with end-to-end encryption for iCloud
encryption

Apple steps up user security with end-to-end encryption for iCloud

8 Dec 2022
Apple and AMD will both be 'major customers' of TSMC's new Arizona fabs
Hardware

Apple and AMD will both be 'major customers' of TSMC's new Arizona fabs

7 Dec 2022
Android vs iOS: Which mobile OS is right for you?
Mobile

Android vs iOS: Which mobile OS is right for you?

30 Nov 2022

Most Popular

Yandex data breach reveals source code littered with racist language
data breaches

Yandex data breach reveals source code littered with racist language

30 Jan 2023
Dutch hacker steals data from virtually entire population of Austria
data breaches

Dutch hacker steals data from virtually entire population of Austria

26 Jan 2023
What's powering Britain’s fibre broadband boom?
Network & Internet

What's powering Britain’s fibre broadband boom?

3 Feb 2023