Another month, another zero-day (CVE-2022-22620) exploited in the wild that has been fixed by Apple.
CVE-2022-22620 is a use after free issue in WebKit, the browser engine used in Safari and all iOS web browsers.
“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited,” the company noted in the security update release notes, and credited an anonymous researcher with reporting it.
“WebKit vulnerabilities are typically exploited by exposing the device to a malicious webpage, but anything rendered using the WebKit engine could potentially be used to expose the vulnerability,” noted Dr. Johannes Ullrich, Dean of Research at the SANS Technology Institute.
“Currently, it isn’t clear if other devices using WebKit are vulnerable, or if the patch will be released as a Safari update for older macOS versions. But typically, Apple does not release vulnerability information until all affected operating systems are patched.”
Apply the updates
As per usual, no specific details about the vulnerability or the attacks have been shared.
Many of the actively exploited zero-day vulnerabilities in iOS fixed by Apple in the last several years turned out to be leveraged to deliver NSO Group’s Pegasus spyware to select targets in limited attacks.
Still, there is a possibility the attacks are more widespread, so users of iPhones, iPads and Macs should not rely on their devices to check for and inform them about available updates, but look for themselves and implement them as soon as possible.