Apple has provided security fixes to address a new zero-day vulnerability that has been used to hack iPhones, iPads, and Macs in the wild. The CVE-2022-22620 [1, 2] zero-day fixed recently is a WebKit Use After Free flaw that might cause OS crashes and code execution on infected devices. After processing fraudulently created web content on iPhones and iPads running vulnerable versions of iOS and iPadOS, successfully exploiting this flaw allows attackers to inject malicious code.
“Apple is aware of a report that this issue may have been actively exploited,” the company stated when reporting the zero-day. In iOS 15.3.1, iPadOS 15.3.1, and macOS Monterey 12.2.1, Apple resolved CVE-2022-22620 with improved memory management. Because the flaw affects both older and newer models, the complete list of afflicted devices is rather long, and it includes:
- iPhone 6s and later,
- iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
- Macs running macOS Monterey
Even though this zero-day was most likely only exploited in targeted attacks, it is strongly advised to get the fixes as soon as possible to prevent further attacks.
In January, Apple addressed two more zero-days that might allow threat actors to gain arbitrary code execution with kernel privileges (CVE-2022-22587) and track browsing activities and users’ identities in real-time (CVE-2022-22594). The first two zero-days affected iPhones (iPhone 6s and higher), Macs running macOS Monterey, and several iPad models.
While Apple has only patched three zero-days since the beginning of 2022, the firm has had to contend with an almost endless stream of zero-days targeted at iOS, iPadOS, and macOS devices in the wild. According to the list, multiple zero-day bugs were exploited to install NSO’s Pegasus spyware on iPhones belonging to journalists, activists, and politicians.