Apple’s software exploited by NSO group

Apple published 10 new advisories describing vulnerabilities affecting its products, including a zero-day that has been exploited against iPhone users. Apple Patches Zero-Day Vulnerability Exploited Against iPhones.

Apple announced an advisory for iOS 16.1.2 that would be released in the coming days and it’s unclear why the tech giant waited for so long to make the information public.

According to the company, the flaw, tracked as CVE-2022-42856, is a type confusion affecting the WebKit browser engine. An attacker can exploit the vulnerability for arbitrary code execution by getting the targeted user to access a specially crafted website.

It's worth noting that every third-party web browser that's available for iOS and iPadOS, including Google Chrome, Mozilla Firefox, and Microsoft Edge, and others, are required to use the WebKit rendering engine due to restrictions imposed by Apple.

“Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1,” the company said in its advisory.

Clément Lecigne of Google's Threat Analysis Group has been credited for reporting the vulnerability to Apple. While no information has been released about the attacks leveraging CVE-2022-42856, Google typically tracks exploits used by sophisticated state-sponsored threat actors or commercial spyware vendors.

While it appears that CVE-2022-42856 has only been used against iPhone users, Apple has also patched the vulnerability with the release of macOS Ventura 13.1, tvOS 16.2, and Safari 16.2. iOS and iPadOS 15.7.2 also include fixes for the bug.

macOS Ventura 13.1 patches a total of 36 vulnerabilities that can lead to arbitrary code execution, sensitive information disclosure, security bypass, spoofing, or a denial-of-service (DoS) condition. macOS Big Sur 11.7.2 resolves 10 vulnerabilities, and macOS Monterey 12.6.2 fixes over a dozen issues.

A total of 35 flaws have been fixed with the release of iOS and iPadOS 16.2, and 17 security holes with the release of iOS and iPadOS 15.7.2.

WatchOS 9.2 addresses 25 vulnerabilities, and tvOS 16.2 addresses 28 issues. Since these operating systems are based on iOS, most of these are flaws shared among all operating systems.

Safari 16.2 patches 10 flaws and iCloud for Windows 14.1 fixes three issues — all affecting WebKit.

The latest iOS, iPadOS, and macOS updates also introduce a new security feature called Advanced Data Protection for iCloud that expands end-to-end encryption to ‌iCloud‌ Backup, Notes, Photos, and more.

Dr. Deepak Kumar Sahu, President & CEO, VARINDIA