iOS 16.2 rolled out this week, and it seems it came just in time.
According to Bleeping Computer (opens in new tab), this week’s iOS 16.2 update fixes a zero-day hack used to attack iPhones. In fact, this vulnerability is being actively exploited in the wild to attack iPhone users, so make sure you update to iOS 16.2 now. If you’re not sure how to update, check out our guide on how to update to iOS 16.2.
The bug in question is a type confusion issue in Apple’s Webkit browsing engine that is used in Safari, among other Apple apps. Type confusion issues occur when a piece of code doesn’t verify the type of an object that is passed to it and uses the object blindly, according to the Microsoft Defender Security Research Team (opens in new tab).
In this type of confusion exploit, maliciously crafted web content is used to perform arbitrary code execution (opens in new tab), caused by a software error in Apple’s Webkit to execute commands in the operating system, deploy additional malware or spyware or execute other potentially malicious actions. It was discovered by Clément Lecigne of Google's Threat Analysis Group in iOS 16.1.2 according to Apple (opens in new tab), who only disclosed it this week.
While Apple hasn't disclosed how attacks exploiting this vulnerability work due to security reasons we do know that it’s not just iPhones like the iPhone 14 that are affected. Any device not running iOS 16.2 or iPadOS 16.2 could be vulnerable, though Apple did release iOS 15.7.2 as a security-only update for some older devices and perhaps now we know why.
It’s also not just iPhones and iPads that are vulnerable. As many of Apple's products use WebKit, this exploit could impact a wide array of devices. While Apple claims (opens in new tab) that only versions of iOS prior to iOS 15.1 may have been exploited by malicious actors, we found evidence of a patch for this exploit in the security notes for Safari 16.2 (opens in new tab), tvOS 16.2 (opens in new tab) and macOS Ventura 13.1 (opens in new tab). So make sure you update all of your Apple devices right now just to be safe.