Apple Quietly Releases Another Patch for Zero-Day RCE Bug

  /     /     /  
Publicated : 23/11/2024   Category : security


Apple Quietly Releases Another Patch for Zero-Day RCE Bug


Apple continues a staged update process to address a WebKit vulnerability that allows attackers to craft malicious Web content to load malware on affected devices.



Apple has quietly rolled out more updates to iOS to fix an actively exploited zero-day security vulnerability that it patched earlier this month in newer devices. The vulnerability, found in WebKit, can allow attackers to create malicious Web content that allows remote code execution (RCE) on a users device.
An update
released Wednesday, iOS 12.5.6, applies to the following models: iPhone 5S, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch 6th generation.
The flaw in question (
CVE-2022-32893
) is described by Apple as an out-of-bounds write issue in WebKit. It was addressed in the patch with improved bounds checking. Apple acknowledged that the bug is under active exploit, and is urging users of affected devices to update immediately.
Apple had already patched the vulnerability for some devices — alongside a kernel flaw tracked as CVE-2022-32894 —
earlier in August
in iOS 15.6.1. Thats
an update
that covered iPhone 6S and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
The latest round of patches appears to be Apple covering all its bases by adding protection for iPhones running older versions of iOS, noted security evangelist Paul Ducklin.
Were guessing that Apple must have come across at least some high-profile (or high-risk, or both) users of older phones who were compromised in this way, and decided to push out protection for everyone as a special precaution, he wrote
in a post
on the Sophos Naked Security blog.
The dual coverage by Apple to fix the bug in both versions of iOS is due to the change in which versions of the platform run on which iPhones, Ducklin explained.
Before Apple released iOS 13.1 and iPadOS 13.1, iPhones and iPads used the same operating system, referred to as iOS for both devices, he said. Now, iOS 12.x covers iPhone 6 and earlier devices, while iOS 13.1 and later versions run on iPhone 6s and devices released after.
The other zero-day flaw that Apple patched earlier this month, CVE-2022-32894, was a kernel vulnerability that can allow for entire device takeover. But while iOS 13 was affected by that flaw — and thus got a patch for it in the earlier update — it does not affect iOS 12, Ducklin observed, which almost certainly avoids the risk of total compromise of the operating system itself on older devices, he said.
WebKit is the browser engine that powers Safari and all other third-party browsers that work on iOS. By exploiting CVE-2022-32893, a threat actor can build malicious content into a website. Then, if someone visits the site from an affected iPhone, the actor can remotely execute malware on his or her device.
WebKit in general has been a persistent thorn in Apples side when it comes to exposing users to vulnerabilities because it spreads beyond iPhones and other Apple devices to other browsers that use it — including Firefox, Edge, and Chrome — putting potentially millions of users at risk from a given bug.
Remember that WebKit bugs exist, loosely speaking, at the software layer below Safari, so that Apples own Safari browser isnt the only app at risk from this vulnerability, Ducklin observed.
Moreover, any app that displays Web content on iOS for purposes other than general browsing — such as in its help pages, its
About
screen, or even in a built-in minibrowser — uses WebKit under the hood, he added.
In other words, just avoiding Safari and sticking to a third-party browser is not a suitable workaround [for WebKit bugs], Ducklin wrote.
While users and professionals alike have traditionally considered Apples Mac and iOS platforms as more secure than Microsoft Windows — and this has generally been true for a number of reasons — the tide is beginning to turn, experts say.
Indeed, an emerging threat landscape showing more interest in targeting more ubiquitous Web technologies and not the OS itself
has widened the target
on Apples back, according to
a threat report
released in January, and the companys defensive patching strategy reflects this.
Apple has patched at least four zero-day flaws this year, with two patches for previous iOS and macOS vulnerabilities coming in
January
and one in
February
— the latter of which fixed another actively exploited issue in WebKit.
Moreover, last year 12 of 57 zero-day threats that researchers from Googles Project Zero
tracked
were Apple-related (i.e., more than 20%), with issues affecting macOS, iOS, iPadOS, and WebKit.

Last News

▸ Feds probe cyber breaches at JPMorgan, other banks. ◂
Discovered: 23/12/2024
Category: security

▸ Security Problem Growing for Dairy Queen, UPS & Retailers, Back off ◂
Discovered: 23/12/2024
Category: security

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Apple Quietly Releases Another Patch for Zero-Day RCE Bug