Apple users told to update their devices to fix critical WebKit flaw
The security flaw allowed code execution on a range of devices and represents the third major vulnerability to be patched by Apple this year
Apple has patched a serious security flaw in WebKit affecting iOS, iPadOS, and macOS that allowed arbitrary code execution on a range of Apple devices, with evidence indicating that the issue has been actively exploited.
Experts have advised all Apple users to update their iPhones and iPads to the latest version (15.3.1) to prevent potential attacks caused by accessing maliciously crafted web content.
The same WebKit issue also affects Safari, which prompted Apple to release security updates for its Mac-based browser, available on macOS Big Sur and macOS Catalina. Macs running the latest macOS Monterey have been issued a patch for the operating system itself, version 12.2.1.
The security vulnerability is tracked as CVE-2022-22620 and was disclosed to Apple by an anonymous researcher. In typical fashion, Apple has offered very few details about the vulnerability but said the issue is related to the use after free class, which means it is related to incorrect use of dynamic memory in applications, Kaspersky said in its analysis.
WebKit is a browser engine developed by Apple and mainly used in its Safari browser but also many other applications on Apple's operating systems. It's also present on Linux, as well as Google Chrome and Mozilla Firefox for iPhone.
Owners of affected Apple devices should check for a software update in their device's settings menu, providing they haven't already received a push notification that an update is ready.
The vulnerabilities included serious issues which could have led attackers to execute arbitrary code with kernel privileges with some of them also believed to be actively exploited in the wild.
Vulnerability and patch management
Keep known vulnerabilities out of your IT infrastructureFree Download
Earlier in January, a separate flaw in WebKit was also found that let websites track user's browsing activity and unique identifiers. Described at the time as a 'privacy violation', the bug was particularly troublesome for Apple given its stance on web tracking.
The company released an anti-tracking App Tracking Transparency feature in 2021 which allowed users to opt-in to a device setting that required installed apps to explicitly ask for their ability to collect data allowing them to track users across other apps and websites. A boon to end-user privacy, Meta recently said the feature will cost its business $10 billion.
It follows what was a tricky 2021 in terms of security for Apple. Throughout the course of last year, the company patched numerous zero-day vulnerabilities as well as other security flaws affecting devices in its ecosystem. Most notable among the patches was a fix for the ForcedEntry exploit used by NSO Group's Pegasus spyware to gain a foothold in iPhones.
Activation playbook: Deliver data that powers impactful, game-changing campaigns
Bringing together data and technology to drive better business outcomesFree Download
In unpredictable times, a data strategy is key
Data processes are crucial to guide decisions and drive business growthFree Download
Achieving resiliency with Everything-as-a-Service (XAAS)
Transforming the enterprise IT landscapeFree Download
What is contextual analytics?
Creating more customer value in HR software applicationsFree Download