January 24, 2023

Apple has issued an iPhone software update that addresses CVE-2022-42856, a zero-day security vulnerability with a severity rating of 4, that was actively exploited.

Attackers can successfully exploit this flaw by tricking their victims into visiting a maliciously crafted website controlled by them. Once obtained, arbitrary code execution could allow them to run commands on the underlying operating system, deploy additional malware or spyware payloads, or initiate other malicious activity.

The update, iOS 16.1.2, was released on November 30 to all supported iPhones, including the iPhone 8 and later, and included unspecified “important security updates.”

The flaw, identified as CVE-2022-42856, is a type confusion that affects the WebKit browser engine, according to the company. An attacker can take advantage of the vulnerability to execute arbitrary code by convincing the targeted user to visit a specially crafted website.

“Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1,” the company said in its advisory.

Apple previously stated that it was aware of a report that this issue may have been actively exploited against iOS versions prior to iOS 15.1. The bug was then fixed with better state handling. While CVE-2022-42856 appears to have been used only against iPhone users, Apple patched the vulnerability with the release of macOS Ventura 13.1, tvOS 16.2, and Safari 16.2. The bug has also been fixed in iOS 15.7.2 and iPadOS 15.7.2.

According to Apple, the flaw discovered by Clément Lecigne of Google’s Threat Analysis Group allows maliciously crafted webpages to execute arbitrary code (and thus likely gain access to sensitive information) on vulnerable devices.

The sources for this piece include an article in BleepingComputer.