[German]Apple has released an emergency update for iOS (and macOS, as well as the Safari browser) last week to fix a critical RCE vulnerability (CVE-2022-22620) in WebKit. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has instructed all U.S. agencies to install update to close the CVE-2022-22620 vulnerability on devices in use by February 25, 2022. Users and administrators in Germany should perhaps also act promptly.
CISA maintains a list of vulnerabilities in products that should definitely be patched. On Twitter, there was the following tweet on February 11, 2022 with the reference to the remote code execution vulnerability CVE-2022-22620.
CVE-2022-22620 is an Apple Webkit remote code execution vulnerability for which there are known exploits. All it takes is a visit to an infected website to exploit the vulnerability. Authorities are asked in the related CISA documents to close this vulnerability on devices (iOS, WatchOS, iPadOS, macOS and Safari) by February 25, 2022.
Update to iOS 15.3.1 and macOS 12.2.1
I hadn't addressed it on the blog, but Apple has released iOS 15.3.1 and iPadOS 15.3.1 as of February 10, 2022 to close the CVE-2022-22620 vulnerability mentioned above. The vulnerability is actively used for attacks, an it is probably enough to visit a manipulated website to exploit the remote code execution vulnerability. The corresponding document states:
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A use after free issue was addressed with improved memory management.
CVE-2022-22620: an anonymous researcher
Mac users also receive corresponding security updates for macOS (macOS 12.2.1 Monterey) or for the Safari browser, which has been updated to version 15.3. So, anyone who has such Apple devices in use should update to the relevant macOS or iOS version.
Cookies helps to fund this blog: Cookie settings