Dec 14 – Two weeks ago, Apple released a software update designed to fix a zero day vulnerability, which the company now says that hackers attempted to exploit. The update, iOS 16.1.2 was released on November 30th. All supported iPhones -including iPhone 8 and later- received it.
According to a disclosure on the company’s security updates page, Apple reportedly resolved a flaw in WebKit, the browser engine that supports Safari, along with other apps.
Cyber criminals interested in exploiting the vulnerability could have potentially sent malware to individuals’ devices. The bug was initially discovered by Google’s Threat Analysis Group, which investigates nation state-backed espionage, hacking and cyber attacks.
“Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1,” Apple noted in its advisory.
Cyber criminals can exploit WebKit bugs when an individual visits a malicious domain via a browser (or in-app browser). When meddling with WebKit bugs, hackers typically aim to break into a device’s operating system and may steal private data.
In some instances, WebKit bugs may be “chained” to other vulnerabilities, allowing hackers to push through multiple layers of a device’s defenses to access a wide variety of data types.
Further security implications
On Tuesday, Apple stated that it is aware of the fact that the vulnerability was exploited “against versions of iOS released before iOS 15.1,” which came out in October of 2021. Apple also released iOS and iPadOS 15.7.2 to fix the WebKit vulnerability for consumers who use iPhone 6s and later, along with select iPad models.
Cyber security researchers are tracking the bug as CVE-2022-42856, or WebKit 247562. Why Google and Apple chose to withhold the details of the bug for several weeks remains unclear.
For more Apple-focused coverage from CyberTalk, please see the stories below.
- Apple advances security for iCloud and iMessage
- Apple transitions to USB-C, but isn’t happy…
- Apple’s new Lockdown Mode limits spyware threats on your iPhone
- Apple signs 10 year streaming deal with soccer teams
- Apple patches three zero-days: What to know
Additional information about CVE-2022-42856 is available on Apple’s security updates page. Lastly, discover new trends, expert interviews, and so much more when you subscribe to the CyberTalk.org newsletter.