Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.0391.2 APPLE-SA-2023-01-23-3 iOS 12.5.7 24 January 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: iOS Publisher: Apple Operating System: Apple iOS Resolution: Patch/Upgrade CVE Names: CVE-2022-42856 Original Bulletin: https://support.apple.com/HT213597 Comment: CVSS (Max): 8.8 CVE-2022-42856 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSS Source: NVD Calculator: htts://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H UPDATE: Apple is aware of a report that this issue may have been actively exploited. Revision History: January 24 2023: Marked as Alert January 24 2023: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- APPLE-SA-2023-01-23-3 iOS 12.5.7 iOS 12.5.7 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213597. WebKit Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation) Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1. Description: A type confusion issue was addressed with improved state handling. WebKit Bugzilla: 248266 CVE-2022-42856: Clément Lecigne of Google's Threat Analysis Group This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "iOS 12.5.7". All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmPPIl4ACgkQ4RjMIDke Nxk+Gw//TvgmHpZaxvWNFgNweQ3WivIf4JesoYk2EkUMLU04+HcPm+0cPQqG9fBX kFtmRYvbkb2i3Bhf9NSy5rA5kJ+XRdRalnQCoQ7A1YppUZvjgrOzjf5AsWcFJDB1 cjuIcKhyhqPlyIHGM2/O57WUhYrkDWTybvNiD2s6V9B8sWhiOdMJ4U4eUXl0mR14 KF8OauxIoZsaxAd1XIch8W8GffjTi+Kd2uDji59JYJndKakdNmy793bKrJWRUrGa keKttpBKMr1U834+x0pOcMkUwpY/Yo5DECKGLkpZlFHW0kZpFAckhvpEXYF5yrEW wURiMx1+3G6GgNQeoAj0DhVZMu+FtkpzjZVtZIm1KWWUhIQklUpsyxg612CukSxZ oQYkjkWhYIH6vlrPvlc1nnZJd2vsV6xyhGk0a1ZCwMr8mRvAzy6S2wHnfoyBrqy/ yHa7PnsGlmRt2Y7qyOJ+UO47AgvM8M0or9BJwyGVhj9sqeKFDC0Yjs1XWB8pg9W9 KGf+3Kb4oxth6asxlI9IRiIYeGYD/zKftuCZ+Pc2suwZqWaTAJR1wk1tXCdTgFjy u9z7dfRAJyrc5lPbOOPLxyG1evtvtGXmj7zcSJVAHRH4MUxgbu/KxbkkRXTGmBqX CFu26QnzxFpEJYV/j2w9pmmKT7JjCFDw2G5wYJtbzTX+lLP1o+E= =j70k - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY899sMkNZI30y1K9AQj3cRAArTd4ZoQdijbyychVGRjWX88BpD2+lLGA rAoD5dFPRYPjdjBib5QmfRqiqGWYsGnhyfgy8t50+wN2l40DADshlaLASCMY080N admucJ266WVOH4+Fw6A2CwNCt6A6nI1ni7cEQ0vnDsuRXew1rmYKOAAWQVFN5XAk MzyeCekjsD4v5WiQROPWoLJrQGfOd8Rm8Sui2x0bQ+fvzH/TE8tXy+bd37FRb5R3 1OWzAIdCZp8l/xAeOlW+B5GiZ3cIEVrGiytjyOopIvE1zdudeOjnhJMFlxjujHaW 7LYSOD3v07CnooEG0uJm+BrC19jUjX5zp3g9zv63G/nHxkg5bbo+81/IaMUlwC/j HUoqFdR6yT4gUR4lGSZJ1TItqTbETS7HfFqVA08Q9xaLjnt/TEMPmrVnD5gzeCci BdDGUHsbk6QWyT60mGVorwLym92AKqoiwumsmkLcYgQprHBU/lFtO4daZMZqeZnf HbysgikYytJeDI0h9uLX99s8i55C36ggh8kXJNvFD8GhFo5VyvEfGb8SuK6pdEYT XIHJ8+OKdx9GLCKtHE3Nn1iUWH7/5j/pSSgwabpGnneid0TpVMGrjQhOfNPBhTR5 pdVLwbaQ39fIKCQtKnwyywzPLy/4FvQHRHMABfPbJsnR/1tRH2mJcLiDVTPlmOf9 LqH3TUgKSZE= =LX96 -----END PGP SIGNATURE-----