Apple fixed actively exploited zero-day bug impacting iPhones

Updated on: 14 December 2022

Vilius Petkauskas
Senior Journalist

Image by Shutterstock.

The flaw affected Apple’s WebKit browser engine, a mandatory tool for all third-party browsers available for iOS.

Apple described the vulnerability, tracked as CVE-2022-42856, as a “confusion issue” that affected WebKit, a web rendering engine Apple requires browser developers to use.

The tech giant claims that due to the bug, processing “maliciously crafted” content could lead to arbitrary code execution.

“Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1,” the company said.

The disclosure confirms that the iOS 16.1.2 update, released on November 30, fixed the issue with WebKit. WebKit exploits manifest when users visit malicious domains on their browser. Threat actors can use WebKit bugs with other flaws to breach targeted devices.

Clément Lecigne of Google’s Threat Analysis Group (TAG) is credited with discovering the bug affecting Apple devices. TAG often focuses on investigating state-sponsored hackers and spyware.

The latest zero-day flaw is the tenth Apple has to deal with this year. The company addressed two flaws in January (CVE-2022-22587, CVE-2022-22594) and March (CVE-2022-22674, CVE-2022-22675) and one in February (CVE-2022-22620), May (CVE-2022-22675), August (CVE-2022-32894), September (CVE-2022-32917) and October (CVE-2022-42827).

Recently, researchers discovered Apple’s zero-day vulnerability being traded on the dark web. A few days after the initial vulnerability was exposed, the researchers found a post in which a hacker offered a new zero-day around the same CVE-2022-32893 for €2.5 million.