Apple has patched yet another zero-day vulnerability, this time in its WebKit browser engine, that threat actors already are actively exploiting to compromise iPhones, iPads and MacOS devices.
The zero-day, tracked as CVE-2022-22620, is a Use-After-Free issue, which is related to incorrect use of dynamic memory during program operation.
In the case of Apple’s zero-day, threat actors can execute arbitrary code on affected devices after they process maliciously crafted web content, the company said in a description of the bug. The flaw also can lead to unexpected OS crashes.
“Apple is aware of a report that this issue may have been actively exploited,” the company wrote in its update notes.
The simplest way threat actors can exploit the flaw involves the system’s reuse of freed memory, according to the vulnerability’s description on the Common Weakness Enumeration website. “Referencing memory after it has been freed can cause a program to crash, use unexpected values or execute code,” according to the post.
Exploiting previously freed memory can have various adverse consequences, “ranging from the corruption of valid data to the execution of arbitrary code, depending on the instantiation and timing of the flaw,” the description said.
These types of errors typically have two common and sometimes overlapping causes: error conditions and other exceptional circumstances, and confusion over which part of the program is responsible for freeing the memory, according to the post.
In the case of CVE-2022-22620, the memory in question is allocated to another pointer validly at some point after it has been freed. The original pointer to the freed memory is used again and points to somewhere within the new allocation.
“As the data is changed, it corrupts the validly used memory; this induces undefined behavior in the process,” according to the post.
If the newly allocated data happens to hold a class – for example, in C++ code – various function pointers may be scattered within the heap data. “If one of these function pointers is overwritten with an address to valid shellcode, execution of arbitrary code can be achieved,” Apple’s post explained.
Numerous Devices Affected
The flaw affects numerous Apple devices, including iPhone 6s and later; all iPad Pro models, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch 7th generation. It also affects desktops and notebooks running macOS Monterey.
The update is the second time this year that Apple has had to issue a patch for a zero day. Last month, the company also had to patch a memory issue – a zero-day flaw also affecting iOS, iPadOS and macOS Monterey tracked as CVE-2022-22587. Attackers could exploit the bug using a malicious app to execute arbitrary code with kernel privileges.
At the same time, the company patched another WebKit zero-day tracked as CVE-2022-22594. The information-disclosure issue affects browsers for macOS, iOS and iPadOS and allows a snooping website to find out information about other tabs a user might have open.
Last year Apple also patched several zero-day vulnerabilities, including a zero-click zero-day exploited by the NSO Group’s Pegasus spyware and a memory-corruption flaw in its iOS and macOS platforms that could allow for system takeover.
How to Force an Update if Necessary
As is typical for Apple, it didn’t disclose many details of the vulnerability and won’t until the investigation is completed. At any rate, “the majority of users have the patches installed,” pointed out Kaspersky in an early morning Friday post.”Simply put, the most likely attack scenario is an infection of an iPhone or iPad device after visiting a malicious web page,” noted the security firm’s post.
Installing the OS 15.3.1 and iPadOS 15.3.1 updates will protect your device, though it does need to be connected to a Wi-Fi network in order to install the patch.
For devices that aren’t yet showing that the update is ready to be installed, Kaspersky advised that systems can be forced into updating faster by going to system settings (Settings → General → Software update) and checking the availability of software updates.
021122 09:25 update: Added content from Kaspersky’s post.
Join Threatpost on Wed. Feb 23 at 2 PM ET for a LIVE roundtable discussion “The Secret to Keeping Secrets,” sponsored by Keeper Security, focused on how to locate and lock down your organization’s most sensitive data. Zane Bond with Keeper Security will join Threatpost’s Becky Bracken to offer concrete steps to protect your organization’s critical information in the cloud, in transit and in storage. REGISTER NOW and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion.