Apple has quietly rolled out extra updates to iOS to repair an actively exploited zero-day safety vulnerability that it patched earlier this month in newer units. The vulnerability, present in WebKit, can permit attackers to create malicious Internet content material that permits distant code execution (RCE) on a person’s gadget.
An replace launched Wednesday, iOS 12.5.6, applies to the next fashions: iPhone 5S, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod contact sixth technology.
The flaw in query (CVE-2022-32893) is described by Apple as an out-of-bounds write concern in WebKit. It was addressed within the patch with improved bounds checking. Apple acknowledged that the bug is beneath energetic exploit, and is urging customers of affected units to replace instantly.
Apple had already patched the vulnerability for some units — alongside a kernel flaw tracked as CVE-2022-32894 — earlier in August in iOS 15.6.1. That is an replace that coated iPhone 6S and later, iPad Professional (all fashions), iPad Air 2 and later, iPad fifth technology and later, iPad mini 4 and later, and iPod contact (seventh technology).
The most recent spherical of patches seems to be Apple protecting all its bases by including safety for iPhones operating older variations of iOS, famous safety evangelist Paul Ducklin.
“We’re guessing that Apple should have come throughout not less than some high-profile (or high-risk, or each) customers of older telephones who had been compromised on this method, and determined to push out safety for everybody as a particular precaution,” he wrote in a publish on the Sophos Bare Safety weblog.
The twin protection by Apple to repair the bug in each variations of iOS is as a result of change wherein variations of the platform run on which iPhones, Ducklin defined.
Earlier than Apple launched iOS 13.1 and iPadOS 13.1, iPhones and iPads used the identical working system, known as iOS for each units, he mentioned. Now, iOS 12.x covers iPhone 6 and earlier units, whereas iOS 13.1 and later variations run on iPhone 6s and units launched after.
The opposite zero-day flaw that Apple patched earlier this month, CVE-2022-32894, was a kernel vulnerability that may permit for total gadget takeover. However whereas iOS 13 was affected by that flaw — and thus received a patch for it within the earlier replace — it doesn’t have an effect on iOS 12, Ducklin noticed, “which nearly actually avoids the danger of complete compromise of the working system itself” on older units, he mentioned.
WebKit: A Extensive Cyberattack Floor
WebKit is the browser engine that powers Safari and all different third-party browsers that work on iOS. By exploiting CVE-2022-32893, a menace actor can construct malicious content material into a web site. Then, if somebody visits the positioning from an affected iPhone, the actor can remotely execute malware on his or her gadget.
WebKit generally has been a persistent thorn in Apple’s aspect in the case of exposing customers to vulnerabilities as a result of it spreads past iPhones and different Apple units to different browsers that use it — together with Firefox, Edge, and Chrome — placing doubtlessly hundreds of thousands of customers in danger from a given bug.
“Keep in mind that WebKit bugs exist, loosely talking, on the software program layer beneath Safari, in order that Apple’s personal Safari browser is not the one app in danger from this vulnerability,” Ducklin noticed.
Furthermore, any app that shows Internet content material on iOS for functions apart from basic searching — akin to in its assist pages, its “About” display, and even in a built-in “minibrowser” — makes use of WebKit beneath the hood, he added.
“In different phrases, simply ‘avoiding Safari’ and sticking to a third-party browser shouldn’t be an acceptable workaround [for WebKit bugs],” Ducklin wrote.
Apple Underneath Assault
Whereas customers and professionals alike have historically thought-about Apple’s Mac and iOS platforms as safer than Microsoft Home windows — and this has typically been true for a variety of causes — the tide is starting to show, consultants say.
Certainly, an rising menace panorama displaying extra curiosity in focusing on extra ubiquitous Internet applied sciences and never the OS itself has widened the goal on Apple’s again, based on a menace report launched in January, and the corporate’s defensive patching technique displays this.
Apple has patched not less than 4 zero-day flaws this 12 months, with two patches for earlier iOS and macOS vulnerabilities coming in January and one in February — the latter of which fastened one other actively exploited concern in WebKit.
Furthermore, final 12 months 12 of 57 zero-day threats that researchers from Google’s Undertaking Zero tracked had been Apple-related (i.e., greater than 20%), with points affecting macOS, iOS, iPadOS, and WebKit.