by Paul Ducklin
Apple just pushed out an emergency update for two zero-day bugs that are apparently actively being exploited.
There’s a remote code execution hole (RCE) dubbed CVE-20220-32893 in Apple’s browser and HTML rendering software (WebKit), by means of which a booby trapped web page can trick iPhones, iPads and Macs into running unauthorised and untrusted software code.
Simply put, a cybercriminal could implant malware on your device even if all you do is view an otherwise innocent web page.
Remember that WebKit is the part of Apple’s browser engine that sits underneath absolutely all web rendering software on Apple’s mobile devices.
But on iOS and iPadOS, Apple’s App Store rules insist that any software that offers any sort of web browsing functionality must be based on WebKit, including browsers such as Chrome, Firefox and Edge that don’t rely on Apple’s browsing code on any other plaforms where you might use them.
Additionally, any Mac and iDevice apps with popup windows such as Help or About screens use HTML as their “display language” (a programmatic convenience that is understandably popular with developers) almost certainly use Apple’s WebView system functions.
WebView takes care of rendering HTML windows that are embedded in other apps, and WebView is based directly on top of WebKit, and