# Urgent Upgrade Required: CISA Directs Federal Agencies to Patch iPhones
Written on
Chapter 1: Overview of the Vulnerability
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive mandating that federal entities must upgrade their iPhones by February 25th. This is in response to a serious vulnerability found in Apple’s WebKit, often exploited to compromise iPhones, iPads, and Macs. This vulnerability has now been included in CISA's list of publicly exploited weaknesses.
Section 1.1: Specifics of the Directive
CISA's binding operational directive (BOD 22–01), published in November, requires all Federal Civilian Executive Branch Agencies (FCEB) to address the vulnerability known as CVE-2022–22620 by the set deadline. The agency has emphasized that vulnerabilities like this one are frequently targeted by cybercriminals, posing a considerable risk to federal operations.
Subsection 1.1.1: Recommendations for Other Organizations
While the BOD 22–01 is specifically aimed at FCEB agencies, CISA strongly advises other organizations to prioritize addressing vulnerabilities listed in the Catalog. This proactive approach is crucial to safeguard against potential attacks. Additionally, CISA has highlighted the need for FCEB agencies to resolve 15 other security issues, with a deadline for patching CVE-2021–36934, a flaw in Microsoft Windows that can lead to privilege escalation and credential theft.
Section 1.2: Understanding the Vulnerability
CVE-2022–22620 marks Apple’s third zero-day vulnerability identified in 2022. This particular flaw, categorized as a WebKit Use After Free issue, has the potential to cause operating system crashes and allow code execution on affected devices. When users visit maliciously designed websites through Safari, attackers can exploit this vulnerability to run arbitrary code on iPhones, iPads, and Macs.
Chapter 2: Broader Implications of the Flaw
Kaspersky has warned that all browsers on iOS and iPadOS utilize this open-source engine, meaning that the vulnerability impacts not just Safari, but also Google Chrome, Mozilla Firefox, and others. Therefore, even users who do not use Safari are at risk. Apple has acknowledged reports that this vulnerability may be actively exploited.
In response, Apple has updated its memory management systems in iOS 15.3.1, iPadOS 15.3.1, and macOS Monterey 12.2.1 to address this issue. The devices affected include the iPhone 6s and newer models, several iPad versions, and Macs running macOS Monterey.
Despite indications that this flaw may have been primarily exploited in targeted attacks, CISA recommends that users apply the patches immediately to mitigate risks of further exploitation. Earlier in January, Apple also patched two additional zero-day vulnerabilities, one of which allowed hackers to monitor user browsing and identities in real time (CVE-2022–22594) and another that enabled arbitrary code execution with kernel privileges (CVE-2022–22587).