Apple fixes actively exploited iOS zero-day on older iPhones, iPads

Apple has backported security patches addressing a remotely exploitable zero-day vulnerability to older iPhones and iPads.

This bug is tracked as CVE-2022-42856, and it stems from a type confusion weakness in Apple's Webkit web browser browsing engine.

Apple said that the flaw discovered by Clément Lecigne of Google's Threat Analysis Group allows maliciously crafted webpages to perform arbitrary code execution (and likely gain access to sensitive information) on vulnerable devices.

Attackers can successfully exploit this flaw by tricking their targets into visiting a maliciously crafted website under their control.

Once achieved, arbitrary code execution could allow them to execute commands on the underlying operating system, deploy additional malware or spyware payloads, or trigger other malicious activity.

In a security advisory published today, Apple once again said that they're aware of reports that this security flaw "may have been actively exploited."

The company addressed the zero-day bug with improved state handling for the following devices: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).

Secure older devices to block attacks

Although Apple disclosed that it received reports of active exploitation, the company is yet to publish info regarding these attacks.

By withholding this info, Apple is likely aiming to allow as many users as possible to patch their devices before other attackers pick up on the zero-day's details and start deploying custom exploits targeting vulnerable iPhones and iPads.

Even though this security flaw was most likely only used in targeted attacks, it's still strongly recommended to install today's security updates as soon as possible to block potential attack attempts.

CISA added the zero-day to its list of known exploited vulnerabilities on December 14, requiring Federal Civilian Executive Branch (FCEB) agencies to patch it to secure them "against active threats."

Today, Apple also patched dozens of other security flaws in its Safari web browser and its latest macOS, iOS, and watchOS versions.