Apple users told to update their devices to fix critical WebKit flaw

iPhone 11 Pro held in someone's hand
(Image credit: Getty Images)

Apple has patched a serious security flaw in WebKit affecting iOS, iPadOS, and macOS that allowed arbitrary code execution on a range of Apple devices, with evidence indicating that the issue has been actively exploited.

Experts have advised all Apple users to update their iPhones and iPads to the latest version (15.3.1) to prevent potential attacks caused by accessing maliciously crafted web content.

The flaw affects iPhones as old as the iPhone 6s, all iPad Pro models, iPad Air 2 and later, iPad 5th generation and later, iPad Mini 4th generation and later, and iPod Touch 7th generation.

The same WebKit issue also affects Safari, which prompted Apple to release security updates for its Mac-based browser, available on macOS Big Sur and macOS Catalina. Macs running the latest macOS Monterey have been issued a patch for the operating system itself, version 12.2.1.

The security vulnerability is tracked as CVE-2022-22620 and was disclosed to Apple by an anonymous researcher. In typical fashion, Apple has offered very few details about the vulnerability but said the issue is related to the use after free class, which means it is related to incorrect use of dynamic memory in applications, Kaspersky said in its analysis.

WebKit is a browser engine developed by Apple and mainly used in its Safari browser but also many other applications on Apple's operating systems. It's also present on Linux, as well as Google Chrome and Mozilla Firefox for iPhone.

Owners of affected Apple devices should check for a software update in their device's settings menu, providing they haven't already received a push notification that an update is ready.

The patches mark the third major security update this year for Apple after January's array of security issues, including two zero-day vulnerabilities, were found to affect iPhones, iPads, and Macs.

The vulnerabilities included serious issues which could have led attackers to execute arbitrary code with kernel privileges with some of them also believed to be actively exploited in the wild.


Vulnerability and patch management

Keep known vulnerabilities out of your IT infrastructure


Earlier in January, a separate flaw in WebKit was also found that let websites track user's browsing activity and unique identifiers. Described at the time as a 'privacy violation', the bug was particularly troublesome for Apple given its stance on web tracking.

The company released an anti-tracking App Tracking Transparency feature in 2021 which allowed users to opt-in to a device setting that required installed apps to explicitly ask for their ability to collect data allowing them to track users across other apps and websites. A boon to end-user privacy, Meta recently said the feature will cost its business $10 billion.

It follows what was a tricky 2021 in terms of security for Apple. Throughout the course of last year, the company patched numerous zero-day vulnerabilities as well as other security flaws affecting devices in its ecosystem. Most notable among the patches was a fix for the ForcedEntry exploit used by NSO Group's Pegasus spyware to gain a foothold in iPhones.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.