Apple Warns of 0-Day CVE-2022-42856 vulnerability on older iPhones, iPads

Apple on Wednesday released security updates for iOS, iPadOS, and iPod to remediate a zero-day vulnerability previously exploited by threat actors to compromise its devices.

Tracked as CVE-2022-42856, the vulnerability could allow a remote attacker to execute arbitrary code on the system, caused by a type confusion flaw in the WebKit component. By persuading a victim to open specially-crafted web content, an attacker could exploit this vulnerability to execute arbitrary code on the system.

Apple confirmed in-the-wild exploitation of the vulnerability in an advisory warning about code execution flaws in the security content of iOS 12.5.7.

Courtesy of Pixabay.

“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1,” the company warned.

The CVE-2022-42856 vulnerability affects iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation) devices. Apple has credited Clément Lecigne of Google’s Threat Analysis Group for finding this flaw.

The company did not disclose any additional information regarding these attacks or the identities of the threat actors perpetrating them, although it’s likely that they were abused as part of intrusions.

Now Apple fixed it to older versions so users can use the Safari browser more safely. It is recommended that users with older devices update the version in time.

Today, Apple also patched dozens of other security bugs in its Safari web browser and its latest macOS, iOS, and watchOS versions.