On February 10, Apple released an urgent update for iOS, iPadOS and MacOS to fix the dangerous zero-day CVE-2022-22620 vulnerability. While Apple does not disclose vulnerabilities until after they have completed their research and most users have patches in place, they recommend updating devices as soon as possible. Meanwhile, CISA have ordered federal agencies to update any affected devices by February 25.
Here’s everything you need to know:
What is the CVE-2022-22620 vulnerability?
The version of Apple iOS running on mobile devices is prior to 15.3.1. It is, therefore, affected by a use after free vulnerability in its WebKit component, used in all browsers for iOS, iPadOS and MacOS: Safari, Chrome, FireFox and others.
An unauthenticated, remote attacker can exploit this to produce malicious web content and execute arbitrary code on the victim’s device.
There are two ways to use the exploit:
- Send a malicious site link
- Exploit an XSS vulnerability on a legitimate web site and in the payload execute the exploit of this CVE.
Does it affect me?
If the version of iOS/iPadOS running on your device is older than 15.3.1, then you’re open to an attack following the exploit of this vulnerability. Again, the WebKit component is used for all browsers in iOS, iPadOS and MacOS, not just Safari. So even if you’re using Chrome or Firefox, you’re vulnerable.
Has it been actively exploited in the wild?
By Apple and CISA, Yes. Reportedly, CVE-2022-22620 has already been exploited but this has not been confirmed.
Fixing CVE-2022-22620
Fortunately, Apple has already released updates to its operating systems and have made them available for users. Updating to versions 15.3.1 on your devices will patch the vulnerability and prevent attackers from taking advantage.
Don’t wait for the attackers to tell you where you’re vulnerable. Find the latest fixes, mitigation actions and industry trends using the Vulcan Remedy Cloud.