Apple has released fixes for a vulnerability affecting older iPhone and iPad models that could lead to remote code execution (RCE).
The tech giant released the iOS 15.7.4 and iPadOS 15.7.4 updates alongside the new iOS 16.4 and iPadOS 16.4 versions (for newer Apple models) on Monday.
The flaw affects a number of older Apple devices, including all iPhone 6s and iPhone 7 models, the first-generation iPhone SEs, the iPad Air 2, the fourth-generation iPad mini and the seventh-generation iPod touch.
The vulnerability (CVE-2023-23529) refers to a type confusion bug in the WebKit browser engine. It was reportedly fixed by Apple on February 13, but only disclosed on Monday.
“Processing maliciously crafted web content may lead to arbitrary code execution,” Apple explained in the advisory. “For our customers’ protection, Apple doesn’t disclose, discuss or confirm security issues until an investigation has occurred and patches or releases are available.”
At the same time, the Cupertino-based company said they were aware of “a report that this issue may have been actively exploited.”
As is customary, the company did not share details about how the vulnerability was being exploited in the wild or what its impact was on iPhone and iPad users. Apple said the type confusion issue was addressed with improved checks. An anonymous researcher was credited with the discovery.
The patches come a few months after Apple released a separate fix for a zero-day security flaw (CVE-2022-42856) that was actively exploited in the wild.
More recently, cybersecurity researchers from Trellix have shed light on six vulnerabilities on macOS and iOS, and an entirely new bug class based on the ForcedEntry attack used to deploy the NSO Group’s mobile Pegasus malware.
Editorial image credit: nikkimeel / Shutterstock.com