Apple fixes dangerous iOS flaw that could have let hackers take over your iPhone

Apple logo on the side of a building
(Image credit: zomby / Shutterstock)

Apple has released a fix to a dangerous security flaw that could have allowed threat actors to completely take over older versions of the iPhone and the iPad. 

The flaw was apparently being used in the wild, but Apple is not sharing any details on exact incidents until the majority of the endpoints apply the patch.

The patch addresses a confusion weakness vulnerability in Apple’s Webkit web browser engine. It’s tracked as CVE-2022-42856 and allows threat actors to run arbitrary code on target devices which, in theory, could also give them access to the entire device. It was given a severity score of 8.8 - “High”.

TechRadar Pro needs you! We want to build a better website for our readers, and we need your help! You can do your bit by filling out our survey and telling us your opinions and views about the tech industry in 2023. It will only take a few minutes and all your answers will be anonymous and confidential. Thank you again for helping us make TechRadar Pro even better.

D. Athow, Managing Editor

Active exploitation

In late 2022, Apple fixed it for Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.1.2. Now, it expanded the patch’s reach to a wider set of vulnerable device series, including iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).

Apple says there are reports of the flaw being “actively exploited” in the wild, but doesn’t want to share any details as it might prompt more threat actors to try and abuse it. The media are saying the CVE is most likely used in “targeted attacks” only, but that shouldn’t mean regular consumers shouldn’t rush to apply the patch. 

The fix comes as part of a wider patching event, in which Apple fixed dozens of security flaws found in both its Safari web browser, and the latest iterations of macOS, iOS, and watchOS devices. However, it seems as the CVE-2022-42856 is the only fixed vulnerability being actively exploited in the wild. 

We expect Apple to release the details on how crooks were taking advantage of the flaw, and if any malware, infostealers, or trojans, were included.

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.