Apple has released security updates to address a new zero-day vulnerability back in December 2022, tracked as CVE-2022-42856, that is actively exploited in attacks against iPhones.
The CVE-2022-42856 flaw is a type of confusion bug that impacts the WebKit browser engine. An attacker can exploit the bug when processing specially crafted content to achieve arbitrary code execution.
Apple released security bulletins for iOS/iPadOS 15.7.2, Safari 16.2, tvOS 16.2, and macOS Ventura 13.1. Apple addressed the vulnerability with improved state handling for the iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
Apple this week has backported the security updates. To secure older devices against attacks exploiting the above issue, Apple released iOS 12.5.7.
To summarize, Apple has addressed the zero-day bug with improved state handling for the following devices:
- iPhone 5s
- iPhone 6
- iPhone 6 Plus
- iPad Air
- iPad mini 2
- iPad mini 3
- iPod touch (6th generation).