Apple Inc. has recently rolled out critical security updates for legacy iPhone, iPad, and iPod touch devices, focusing on patching a significant vulnerability that has been found to be actively exploited. This flaw, designated as CVE-2022-32893, has garnered a CVSS score of 8.8 and represents an out-of-bounds write issue in WebKit, the rendering engine that underlies the Safari browser and other popular third-party browsers available on the iOS and iPadOS ecosystems.
The implications of this flaw are particularly severe, as it opens the door for arbitrary code execution through the exploitation of maliciously crafted web content. Given that WebKit is integral to not just Safari, but also to Google Chrome, Mozilla Firefox, and Microsoft Edge on iOS and iPadOS, the vulnerability poses a significant risk across various platforms.
Apple has remedied this issue through enhanced bounds checking mechanisms, with the vulnerability initially reported by a researcher who remains anonymous. The update, titled iOS 12.5.6, targets older devices including iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).
In its advisory, Apple clarified that devices running iOS 12 are not affected by a different security flaw tracked as CVE-2022-32894, emphasizing their commitment to addressing security weaknesses across their legacy product line. This update comes on the heels of previous patches delivered in August for iOS 15.6.1, iPadOS 15.6.1, macOS 12.5.1, and Safari 15.6.1, which addressed multiple security concerns.
In a general statement regarding the recent exploit, Apple acknowledged it is aware of reports indicating ongoing exploitation of this vulnerability, although specific details on the nature or circumstances of such attacks remain scarce. For business owners and users of older iOS devices, it is imperative to implement the updates without delay in order to reduce the likelihood of falling victim to these threats.
This incident highlights the necessity for organizations to maintain vigilance concerning the security of their devices, particularly legacy systems that may not receive regular updates. Understanding the potential exploit tactics, as outlined in the MITRE ATT&CK framework, can aid in grasping the risks associated with such vulnerabilities, including techniques like initial access through web-based attacks and privilege escalation that could result from code execution vulnerabilities.
