Apple has released security updates to macOS, iOS, and iPadOS to address a zero-day vulnerability in the WebKit browser engine that attackers may already have used in the wild.
The company describes the vulnerability patched in these updates, CVE-2022-22620, as a “use after free issue” that was “addressed with improved memory management.”
“Processing maliciously crafted web content may lead to arbitrary code execution,” Apple says of the flaw. “Apple is aware of a report that this issue may have been actively exploited.” It doesn’t offer any further details about who submitted this report or when it may have been exploited.
The company says that WebKit is used in “Safari, Mail, App Store, and many other apps on macOS, iOS, and Linux.” (Including third-party browsers available for iOS and iPadOS.) WebKit can’t really be avoided; the best way to mitigate the risk posed by this vulnerability is to update.
The Verge reports that the macOS update also resolves “an issue for Intel-based Mac computers that may cause the battery to drain during sleep when connected to Bluetooth peripherals,” which should be welcome news for Mac owners dealing with this diminished battery life.
Apple says iOS 15.3.1 and iPadOS 15.3.1 are available for these devices: “iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).” All macOS 12-compatible devices can install macOS 12.2.1.