"Apple Patches Actively Exploited WebKit Zero Day"

A memory issue has been discovered affecting iPhone, iPad, and macOS devices, allowing attackers to execute arbitrary code following the processing of malicious web content. The zero-day vulnerability found in Apple's WebKit browser engine is being actively exploited to compromise devices. The vulnerability, tracked as CVE-2022-22620, is described as a Use-After-Free issue, which involves the incorrect use of dynamic memory during a program operation. In regard to Apple's zero-day vulnerability, attackers can execute arbitrary code on affected devices after processing maliciously crafted web content, potentially leading to unexpected OS crashes. According to the vulnerability's description on the Common Weakness Enumeration website, the easiest way for threat actors to exploit the flaw involves the system's reuse of freed memory. Referencing memory after freeing it can cause a program to crash, use unexpected values or execute code. Exploiting previously freed memory can have various consequences, such as the corruption of valid data, the execution of arbitrary code depending on the instantiation and timing of the flaw, and more. Apple released separate security updates for its products to address the issue, both of which improve how the OSes manage memory. The vulnerability impacts numerous Apple devices, including iPhone 6s and later, all iPad Pro models, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and the 7th generation iPod touch. The flaw also affects desktops and notebooks running macOS Monterey. This article continues to discuss the potential exploitation and impact of the zero-day WebKit flaw. 

Threatpost reports "Apple Patches Actively Exploited WebKit Zero Day"