In December, 2022, we warned our readers about an actively exploited vulnerability in Apple’s WebKit. Back then we wondered why Apple specifically stated that the issue may have been actively exploited against versions of iOS released before iOS 15.1.
At the time, our resident Apple expert Thomas Reed said that Apple has been known to release fixes for older systems when it is aware of active attacks taking place. And indeed, Apple has now released security content for iOS 12.5.7. which includes a patch for this vulnerability.
The patch is available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).
The update may already have reached your device during your regular update routines, but it doesn't hurt to check if your device is at the latest update level.
Since the vulnerability we’ll discuss below is already being exploited, it's important that you install the update your devices as soon as you can, if you haven’t already.
The bug (CVE-2022-42856) was found in WebKit which is Apple’s web rendering engine. In other words, WebKit is the browser engine that powers Safari and other apps.
Apple says the impact of the vulnerability is that processing maliciously crafted web content may lead to arbitrary code execution. In essence this means an attacker can try to lure his victims to a malicious site to compromise their devices. But Apple has not disclosed any details about the circumstances under which the vulnerability was actively exploited.
There is also new security content for iOS 15.7.2 and iPadOS 15.7.2 and security updates for a lot of other Apple software.