Apple WebKit remote code execution vulnerability often used to compromise iPhones, iPads, and Macs has been added to the US Cybersecurity and Infrastructure Security Agency’s (CISA) list of vulnerabilities exploited in the public. Government entities must now patch their systems against this extensively exploited vulnerability affecting iOS, iPadOS, and macOS devices, according to a binding operational directive (BOD 22–01) published by CISA in November.
CISA stated that until February 25th, 2022, all Federal Civilian Executive Branch Agencies (FCEB) must patch the vulnerability identified as CVE-2022–22620 [1, 2]. According to the cybersecurity organization, “these types of vulnerabilities are a common attack vector for bad cyber actors of all types and represent significant danger to the federal enterprise.”
“Although BOD 22–01 only applies to FCEB agencies, CISA strongly advises other companies to prioritize early correction of Catalog vulnerabilities as part of their vulnerability management process to prevent their susceptibility to attackers.” CISA also urged FCEB agencies to fix 15 additional security flaws as active exploitation, with a February 24th patch deadline for CVE-2021–36934, a Microsoft Windows SAM (Security Accounts Manager) flaw that allows privilege escalation and credential theft.
CVE-2022–22620 is Apple’s third zero-day since the beginning of 2022, and it’s a WebKit Use After Free flaw that can cause OS crashes and code execution on susceptible systems. After viewing maliciously crafted web sites using Safari, successful exploitation allows attackers to execute arbitrary code on iPhones, iPads, and Macs.
“All browsers for iOS and iPadOS, in particular, are built on this open source engine,” Kaspersky warned yesterday. “This includes not only the iPhone’s default Safari, but also Google Chrome, Mozilla Firefox, and any others.” “This vulnerability affects you directly even if you don’t use Safari.” “Apple is aware of a report that this problem may have been actively exploited,” the company noted while discussing the zero-day.
In iOS 15.3.1, iPadOS 15.3.1, and macOS Monterey 12.2.1, Apple has updated memory management to solve the problem. iPhone 6s and later, several iPad models, and Macs running macOS Monterey are among the devices affected.
Although this issue was most likely exclusively utilized in a few targeted attacks, it’s still critical to install the patches as quickly as possible to prevent further attacks, as CISA recommended yesterday. Apple also addressed two more actively exploited zero-days in January, allowing hackers to track browsing activities and users’ identities in real time (CVE-2022–22594) and execute arbitrary code with kernel privileges (CVE-2022–22587).