IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Apple users told to update their devices to fix critical WebKit flaw

The security flaw allowed code execution on a range of devices and represents the third major vulnerability to be patched by Apple this year

Apple has patched a serious security flaw in WebKit affecting iOS, iPadOS, and macOS that allowed arbitrary code execution on a range of Apple devices, with evidence indicating that the issue has been actively exploited.

Experts have advised all Apple users to update their iPhones and iPads to the latest version (15.3.1) to prevent potential attacks caused by accessing maliciously crafted web content. 

The flaw affects iPhones as old as the iPhone 6s, all iPad Pro models, iPad Air 2 and later, iPad 5th generation and later, iPad Mini 4th generation and later, and iPod Touch 7th generation.

The same WebKit issue also affects Safari, which prompted Apple to release security updates for its Mac-based browser, available on macOS Big Sur and macOS Catalina. Macs running the latest macOS Monterey have been issued a patch for the operating system itself, version 12.2.1.

The security vulnerability is tracked as CVE-2022-22620 and was disclosed to Apple by an anonymous researcher. In typical fashion, Apple has offered very few details about the vulnerability but said the issue is related to the use after free class, which means it is related to incorrect use of dynamic memory in applications, Kaspersky said in its analysis.

WebKit is a browser engine developed by Apple and mainly used in its Safari browser but also many other applications on Apple's operating systems. It's also present on Linux, as well as Google Chrome and Mozilla Firefox for iPhone.

Owners of affected Apple devices should check for a software update in their device's settings menu, providing they haven't already received a push notification that an update is ready.

The patches mark the third major security update this year for Apple after January's array of security issues, including two zero-day vulnerabilities, were found to affect iPhones, iPads, and Macs.

The vulnerabilities included serious issues which could have led attackers to execute arbitrary code with kernel privileges with some of them also believed to be actively exploited in the wild.

Related Resource

Vulnerability and patch management

Keep known vulnerabilities out of your IT infrastructure

Whitepaper cover with dark red smoke-like graphic on black backgroundFree Download

Earlier in January, a separate flaw in WebKit was also found that let websites track user's browsing activity and unique identifiers. Described at the time as a 'privacy violation', the bug was particularly troublesome for Apple given its stance on web tracking.

The company released an anti-tracking App Tracking Transparency feature in 2021 which allowed users to opt-in to a device setting that required installed apps to explicitly ask for their ability to collect data allowing them to track users across other apps and websites. A boon to end-user privacy, Meta recently said the feature will cost its business $10 billion.

It follows what was a tricky 2021 in terms of security for Apple. Throughout the course of last year, the company patched numerous zero-day vulnerabilities as well as other security flaws affecting devices in its ecosystem. Most notable among the patches was a fix for the ForcedEntry exploit used by NSO Group's Pegasus spyware to gain a foothold in iPhones.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Best business smartphones 2022: The top handsets from Apple, Samsung, Google and more
Mobile

Best business smartphones 2022: The top handsets from Apple, Samsung, Google and more

23 Jun 2022
Apple faces a catch-22 decision with iPhones and USB-C
Policy & legislation

Apple faces a catch-22 decision with iPhones and USB-C

8 Jun 2022
Apple overhauls SwiftUI navigation and brings a score of new features to developers at WWDC 2022
software development

Apple overhauls SwiftUI navigation and brings a score of new features to developers at WWDC 2022

7 Jun 2022
The EU’s Apple App Store crackdown ‘will fuel cyber attacks’
cyber security

The EU’s Apple App Store crackdown ‘will fuel cyber attacks’

1 Jun 2022

Most Popular

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Open source giant Red Hat joins HPE GreenLake ecosystem
automation

Open source giant Red Hat joins HPE GreenLake ecosystem

28 Jun 2022
Carnival hit with $5 million fine over cyber security violations
cyber security

Carnival hit with $5 million fine over cyber security violations

27 Jun 2022