Apple has released new security updates to backport patches released earlier this month to older iPhones and iPads addressing a remotely exploitable WebKit zero-day that allows attackers to execute arbitrary code on unpatched devices.
This zero-day vulnerability is the same one Apple patched for macOS Monterey and iPhone/iPad devices on August 17, and for Safari on August 18.
The flaw is tracked as CVE-2022-3289 and is an out-of-bounds write vulnerability in WebKit, the web browser engine used by Safari and other apps to access the web.
If successfully exploited, it allows attackers to perform arbitrary code execution remotely by tricking their targets into visiting a maliciously crafted website under their control.
In a security advisory published today, Apple once again said that they’re aware of reports that this security issue “may have been actively exploited.”
The list of devices today’s security updates apply to includes iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation), all of them running iOS 12.5.6.
Patch your older phones to block attacks
Even though Apple has disclosed that it received reports of active exploitation in the wild, the company is yet to release info regarding these attacks.
By withholding this information, Apple is likely aiming to allow as many users as possible to apply the security updates before other attackers pick up on the zero-day’s details and start deploying exploits in their own attacks targeting vulnerable iPhones and iPads.
Although this zero-day vulnerability was most likely only used in targeted attacks, it’s still strongly advised to install today’s iOS security updates as soon as possible to block potential attack attempts.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added this security bug to its catalog of exploited vulnerabilities on August 19, requiring Federal Civilian Executive Branch (FCEB) agencies to patch it to protect “against active threats.”
This is the seventh zero-day bug fixed by Apple since the start of the year:
- In March, Apple patched two zero-day bugs in the Intel Graphics Driver (CVE-2022-22674) and AppleAVD (CVE-2022-22675).
- In February, Apple released security updates to fix another WebKit zero-day bug exploited in attacks against iPhones, iPads, and Macs.
- In January, Apple patched two other exploited zero-days that enabled code execution with kernel privileges (CVE-2022-22587) and web browsing activity tracking (CVE-2022-22594).