Apple have released security updates this week for a range of their software, including MacOS, watchOS, iOS, iPadOS, and Safari. Among these new releases is iOS 12.5.7, which contains backported security patches for older iPhone models to resolve a high severity zero-day vulnerability. This flaw was patched in more recent device models in December, however the new update now provides this fix for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and 6th Gen iPod touch. This additional patch has been released due to active exploits of this vulnerability known to exist in the wild, currently believed to only have occurred in targeted attacks. 

The vulnerability tracked as CVE-2022-42856 is a type confusion issue within the iOS WebKit. Remote attackers can exploit this vulnerability by creating a malicious website that is accessed from the target device. The type confusion occurs when data stored in memory (such as a string) is accessed using an incompatible type (such as an array), resulting in out-of-bounds memory access. The attacker can then execute arbitrary code on the target device, which could allow for sensitive data to be accessed, or further malicious activity such as the installation of malware or spyware payloads on the device. The security patches released by Apple address this flaw through improved state handling. 

Just after the December patch for this vulnerability was released, the Cybersecurity and Infrastructure Security Agency (CISA), a branch of the US government, added it to their Known Exploited Vulnerabilities Catalog (KEVC). This confirms the report from Apple that this vulnerability was actively exploited in older unpatched versions before iOS 15.1. When CISA add a vulnerability to their catalogue all federal agencies are required to resolve the vulnerability as soon as possible due to the perceived security risk. They therefore also encourage all other organisations to patch flaws listed in the KEVC to reduce their exposure to attacks. Although all exploits of this vulnerability in the wild are believed to have been targeted attacks, all users of Apple devices should update to the latest software versions to protect themselves from this form of attack.