Security News > 2022 > February > Apple fixes actively exploited iOS, macOS zero-day (CVE-2022-22620)

Another month, another zero-day exploited in the wild that has been fixed by Apple.

Apple fixed it in iOS 15.3.1 and iPadOS 15.3.1, macOS Monterey 12.2.1, and Safari 15.3.

"Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited," the company noted in the security update release notes, and credited an anonymous researcher with reporting it.

"WebKit vulnerabilities are typically exploited by exposing the device to a malicious webpage, but anything rendered using the WebKit engine could potentially be used to expose the vulnerability," noted Dr. Johannes Ullrich, Dean of Research at the SANS Technology Institute.

"Currently, it isn't clear if other devices using WebKit are vulnerable, or if the patch will be released as a Safari update for older macOS versions. But typically, Apple does not release vulnerability information until all affected operating systems are patched."

Many of the actively exploited zero-day vulnerabilities in iOS fixed by Apple in the last several years turned out to be leveraged to deliver NSO Group's Pegasus spyware to select targets in limited attacks.

News URL

https://www.helpnetsecurity.com/2022/02/11/cve-2022-22620/