Apple has released iOS/iPadOS 15.7.2, Safari 16.2, tvOS 16.2, macOS Ventura 13.1, and Safari 16.2 to fix a zero-day vulnerability that is actively exploited in the wild in attacks.
The flaw, tracked as CVE-2022-42856, may allow a remote attacker to execute arbitrary code. “Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1,” Apple wrote in its security advisories.
As is customary, Apple did not provide details on the scope of the attack, or any indicators of compromise (IOC) to help defenders look for signs of infections.
CVE-2022-42856 is a type confusion issue that was reported by Clément Lecigne of Google’s Threat Analysis Group. Apple said the WebKit code was cleaned up with improved state handling.
The list of impacted devices includes iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
While it is possible that the vulnerability is used in targeted attacks and is not widely used, it is strongly advised to install the update as soon as possible due to its severity.
