Security News > 2023 > January > Apple delivers belated zero-day patch for iOS v12 (CVE-2022-42856)
Apple has released security updates for macOS, iOS, iPadOS and watchOS, patching - among other things - a type confusion flaw in the WebKit component that could be exploited for remote code execution on older iPhones and iPads running iOS v12.
"Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1," the company said.
CVE-2022-42856 was a zero-day vulnerability flagged by Clément Lecigne of Google's Threat Analysis Group and was patched by Apple in November and December 2022 in the iOS 16 and 15 branches, respectively.
Apple still has not shared details of the attacks leveraging this vulnerability.
Advanced Data Protection for iCloud and Security Keys for Apple ID, two security features announced and partially rolled out for testing by Apple late last year, have also been included in this latest macOS Ventura update.
Advanced Data Protection for iCloud expands end-to-end encryption to more data categories in iCloud, and Security Keys for Apple ID adds the necessary support so users can use physical security keys as their second authentication factor.
News URL
https://www.helpnetsecurity.com/2023/01/24/cve-2022-42856-ios-v12/
Related news
- Apple Releases Urgent Updates to Patch Actively Exploited Zero-Day Vulnerabilities (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws (source)
- Apple fixes two zero-days used in attacks on Intel-based Macs (source)
- Apple fixes 2 zero-days exploited to breach macOS systems (CVE-2024-44309, CVE-2024-44308) (source)
- Apple Patches Two Zero-Day Attack Vectors (source)
- New Windows zero-day exposes NTLM credentials, gets unofficial patch (source)
- Microsoft December 2024 Patch Tuesday fixes 1 exploited zero-day, 71 flaws (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-12-15 | CVE-2022-42856 | Type Confusion vulnerability in Apple products A type confusion issue was addressed with improved state handling. | 8.8 |