Apple delivers belated zero-day patch for iOS v12 (CVE-2022-42856)
Apple has released security updates for macOS, iOS, iPadOS and watchOS, patching – among other things – a type confusion flaw in the WebKit component (CVE-2022-42856) that could be exploited for remote code execution on older iPhones and iPads running iOS v12.
“Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1,” the company said.
CVE-2022-42856 was a zero-day vulnerability flagged by Clément Lecigne of Google’s Threat Analysis Group and was patched by Apple in November and December 2022 in the iOS 16 and 15 branches, respectively. Apple still has not shared details of the attacks leveraging this vulnerability.
As per usual, the security update for the most recent macOS version (v13, or Ventura) is more hefty that those for Monterey (v12) and Big Sur (v11), but many of the fixes overlap. Likewise, iOS and iPadOS v16.3 deliver more fixes than v15.7.3 for those two OSes.
Wider availability of new security features
Advanced Data Protection for iCloud and Security Keys for Apple ID, two security features announced and partially rolled out for testing by Apple late last year, have also been included in this latest macOS Ventura update.
Advanced Data Protection for iCloud expands end-to-end encryption to more data categories in iCloud (including iCloud Backup, Notes, and Photos), and Security Keys for Apple ID adds the necessary support so users can use physical security keys as their second authentication factor.
More details about each of these features is available here. If you’re a Mac user and you still haven’t explored the security and privacy features introduced with macOS Ventura, check out this quick overview.