Apple Fixes Actively Exploited iPhone Zero-Day Vulnerability
Apple has announced that an iPhone software update released two weeks ago fixed a zero-day security flaw (tracked CVE-2022-42856) that had been actively exploited in the wild.
The iOS 16.1.2 patch was released on November 30 and progressively rolled out to all supported iPhones, quoting unspecified “important security updates.”
Updating its security bulletin on Tuesday, Apple said the patch fixed a flaw in WebKit, the browser engine behind Safari and other iOS apps. If exploited, the vulnerability could allow remote code execution (RCE) on the victim’s device.
“Processing maliciously crafted web content may lead to arbitrary code execution,” the company wrote. “Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1.”
Commenting on the news, Tom Davison, senior director of sales engineering international at Lookout, said the news of another zero-day vulnerability in iOS should not be surprising.
“We have already seen several examples of this in 2022, with 15.3, 15.6.1, and 16.1 all introducing fixes to critical vulnerabilities alleged to have been exploited in the wild,” Davison told Infosecurity.
“There is a market for these flaws amongst sophisticated threat actors, and more will certainly be discovered. Users should configure automatic iOS updates to stay protected.”
More broadly, the executive believes the fundamental concerns associated with these flaws lie with business.
“Mobile devices are now an integral part of the employee toolkit. Sensitive data freely flows between the organization and employee phones. It is absolutely imperative that enterprises take this into account by including the security and monitoring of mobile devices alongside all other computing endpoints.”
At the same time, according to Travis Biehn, principal security consultant at the Synopsys Software Integrity Group, it is good to see private industry coordinating to protect people.
“Apple invests a lot into operating system security, compartmentalization of components, sandboxing, and assessments of WebKit – but it does show you that, for complex software like a web browser written in C++, spending a lot of money on assurance won’t keep all the bugs out,” Biehn explained.
“Developers are slowly adopting new languages like Rust and experimenting with sandbox approaches that can further isolate legacy code written in non-memory-safe languages like C and C++.”
The Apple patch comes days after the company introduced new data protection features focused on protecting users against data theft.