iPhones, iPads and the iPod Touch are all at risk, and it doesn’t matter what web browser you use: All of them could let an attacker execute arbitrary code on an infected device.
iOS users may have noticed an unexpected software update on their devices yesterday, and Apple is urging everyone to install that update immediately to avoid falling prey to a use-after-free vulnerability that could allow an attacker to execute arbitrary code on a victim’s device.
Use-after-free (UAF) attacks exploit a problem in how applications manage dynamic memory allocation. Dynamic memory is designed to store arbitrary-sized blocks, be used quickly and then freed and is managed by headers that help apps understand which blocks are occupied.
In some instances, memory headers aren’t cleared properly. When this happens a program can allocate the same chunk of data to another object without clearing the heading. Here’s where an attacker can insert malicious code that gets picked up by another app and executed at the original buffer address.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
As Kaspersky pointed out in its announcement of the vulnerability, Apple doesn’t always explain the particulars of vulnerabilities until it completes an investigation, so don’t expect a lot of particulars beyond the fact that the bug exists in WebKit, and is of the UAF vulnerability class.
How this vulnerability affects iOS users
This particular vulnerability, CVE-2022-22620, comes to Apple from an anonymous security researcher, and Apple said it “is aware of a report that this issue may have been actively exploited.” Consider that your warning that it’s probably already being exploited in the wild.
In order to exploit this vulnerability, all that an attacker would need was for their victim to visit a maliciously-crafted webpage, the very act of which would compromise the device and allow for arbitrary code execution.
All of the web browsers available on iOS, from Safari to Chrome to Firefox and beyond, use WebKit. That means that each and every iOS device is potentially vulnerable. It’s worth noting that some macOS and Linux browsers use WebKit as well, so be sure that you update any vulnerable desktop browsers, too.
SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)
Apple said that the iPhone 6S and later, all iPad Pro models, iPad Air 2 and later, iPad 5th gen and later iPad Mini 4 and newer, and seventh generation iPod Touch devices would all be able to download the 15.3.1 update for iOS and iPadOS.
iOS and iPadOS devices should automatically inform you of the need to update, but if you’re yet to see a notification, it’s a good idea to open the Settings app, navigate to General, and then to Software Update. Follow the onscreen instructions and nip this particular bug in the bud.