- IT 리더가 지목한 AI 가치 실현의 최대 걸림돌은 ‘비용 관리’
- Los CIO consideran que la gestión de costes puede acabar con el valor de la IA
- 칼럼 | AI 에이전트, 지금까지의 어떤 기술과도 다르다
- The $23 Echo Dot deal is a great deal to upgrade your smart home this Black Friday
- Amazon's Echo Spot smart alarm clock is almost half off this Black Friday
Apple Fixes Actively Exploited iPhone Zero-Day Vulnerability
Apple has announced that an iPhone software update released two weeks ago fixed a zero-day security flaw (tracked CVE-2022-42856) that had been actively exploited in the wild.
The iOS 16.1.2 patch was released on November 30 and progressively rolled out to all supported iPhones, quoting unspecified “important security updates.”
Updating its security bulletin on Tuesday, Apple said the patch fixed a flaw in WebKit, the browser engine behind Safari and other iOS apps. If exploited, the vulnerability could allow remote code execution (RCE) on the victim’s device.
“Processing maliciously crafted web content may lead to arbitrary code execution,” the company wrote. “Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1.”
Commenting on the news, Tom Davison, senior director of sales engineering international at Lookout, said the news of another zero-day vulnerability in iOS should not be surprising.
“We have already seen several examples of this in 2022, with 15.3, 15.6.1, and 16.1 all introducing fixes to critical vulnerabilities alleged to have been exploited in the wild,” Davison told Infosecurity.
“There is a market for these flaws amongst sophisticated threat actors, and more will certainly be discovered. Users should configure automatic iOS updates to stay protected.”
More broadly, the executive believes the fundamental concerns associated with these flaws lie with business.
“Mobile devices are now an integral part of the employee toolkit. Sensitive data freely flows between the organization and employee phones. It is absolutely imperative that enterprises take this into account by including the security and monitoring of mobile devices alongside all other computing endpoints.”
At the same time, according to Travis Biehn, principal security consultant at the Synopsys Software Integrity Group, it is good to see private industry coordinating to protect people.
“Apple invests a lot into operating system security, compartmentalization of components, sandboxing, and assessments of WebKit – but it does show you that, for complex software like a web browser written in C++, spending a lot of money on assurance won’t keep all the bugs out,” Biehn explained.
“Developers are slowly adopting new languages like Rust and experimenting with sandbox approaches that can further isolate legacy code written in non-memory-safe languages like C and C++.”
The Apple patch comes days after the company introduced new data protection features focused on protecting users against data theft.