Apple has issued security updates for iOS, iPadOS, macOS, tvOS, and Safari web browser to address a zero-day vulnerability that allows remote code execution.
Tracked as CVE-2022-42856, the bug is a type confusion issue that resides in Apple's Webkit web browser browsing engine. A remote attacker can execute arbitrary code on the target system by tricking the victim into visiting a specially crafted website.
Apple didn’t provide any additional details regarding this vulnerability, only noting that it is “aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1.”
This marks the tenth zero-day vulnerability Apple fixed since the start of this year. Other nine zero-days include: CVE-2022-22587 and CVE-2022-22594 (both fixed in January), CVE-2022-22620 (WebKit, fixed in February), CVE-2022-22674 (Intel Graphics Driver) and CVE-2022-22675 (AppleAVD), both fixed in April, CVE-2022-32894 and CVE-2022-32893 (WebKit and Kernel, fixed in August), CVE-2022-32917 (Kernel, fixed in September), CVE-2022-42827 (Kernel, fixed in October).