CISA warns of active exploitation of three years old Apple JavaScriptCore vulnerability

CISA is warning of active exploitation of a critical vulnerability affecting multiple Apple products. 

The flaw is tracked as CVE-2022-48503 (CVSS score 8.8), is a vulnerability in the JavaScriptCore engine could allow attackers to execute arbitrary code simply by processing malicious web content. The flaw affects macOS, iOS, tvOS, Safari, and watchOS. Despite being originally patched by Apple in July 2022, the vulnerability is used in active attacks targeting unpatched and end-of-life systems.

Even if Apple released patches over three years ago, the vulnerability is still relevant for organizations and individuals running outdated software or using end-of-life devices that no longer receive security updates.

Apple released security fixes for CVE-2022-48503 in July 2022 for the following products and versions:

• macOS Monterey 12.5
• iOS 15.6
• iPadOS 15.6
• Safari 15.6
• tvOS 15.6
• watchOS 8.7

Devices running earlier versions of these operating systems that have not been updated remain vulnerable to exploitation. Additionally, devices that have reached end-of-life status and are no longer receiving security updates from Apple cannot be patched and remain permanently at risk.

Apple released security fixes for CVE-2022-48503 in July 2022 with the following security updates:

• macOS Monterey 12.5 (Security Update HT213340)
• iOS 15.6 and iPadOS 15.6 (Security Update HT213341)
• Safari 15.6 (Security Update HT213342)
• tvOS 15.6 (Security Update HT213345)
• watchOS 8.7 (Security Update HT213346)

Users should immediately verify their systems have received these updates or have upgraded to newer versions that include the fix. 

For devices that are end-of-life or end-of-service, CISA recommends referring to Apple's official security advisories and immediately updating to supported versions or discontinuing use of deprecated devices.