Apple said that a software update it released two weeks ago for iPhone smartphones fixed an exposed security vulnerability, and revealed that the vulnerability had been exploited.
Apple released iOS 16.1.2 on November 30 for all supported iPhones, for iPhone 8 and later. The new version came with important security updates that the company did not specify.
Apple revealed on its security updates page that the update fixed a bug in the WebKit browsing engine that powers its Safari browser and other apps, and by exploiting it, threat actors can run malicious code on a victim’s device.
Apple said Google’s Threat Analysis Group, which investigates spyware, hacking and government-backed cyberattacks, discovered the vulnerability in the WebKit engine.
WebKit vulnerabilities are often exploited when a user visits a malicious domain in their browser, or through browsing pages in other applications. Threat actors seek to exploit vulnerabilities in the browsing engine as a way to break into the operating system and users’ private data. WebKit vulnerabilities can be linked with other vulnerabilities to penetrate multiple layers of a device’s defenses.
Apple said it was aware of the vulnerability exploit in versions of iOS prior to version 15.1, which was released in October 2021. For users of those versions, who have not yet updated to iOS 16, the company has also released version 15.7.2 of iOS and iPadOS. Fixes WebKit vulnerability for those using iPhone 6s and later and some iPad tablet models.
The vulnerability is now being tracked under ID CVE-2022-42856 or WebKit 247562. It is not clear why Apple muted details of the vulnerability for two weeks.
It should also be noted that Apple released two days ago iOS 16.2, which includes end-to-end encryption of data in iCloud backups, in addition to other features.
