iOS 16.2 rolled out this week, and it seems it came just in time.
According to Bleeping Computer, this week’s iOS 16.2 update fixes a zero-day hack used to attack iPhones. In fact, this vulnerability is being actively exploited in the wild to attack iPhone users, so make sure you update to iOS 16.2 now. If you’re not sure how to update, check out our guide on how to update to iOS 16.2.
The bug in question is a type confusion issue in Apple’s Webkit browsing engine that is used in Safari, among other Apple apps. Type confusion issues occur when a piece of code doesn’t verify the type of an object that is passed to it and uses the object blindly, according to the Microsoft Defender Security Research Team.
In this type of confusion exploit, maliciously crafted web content is used to perform arbitrary code execution, caused by a software error in Apple’s Webkit to execute commands in the operating system, deploy additional malware or spyware or execute other potentially malicious actions. It was discovered by Clément Lecigne of Google's Threat Analysis Group in iOS 16.1.2 according to Apple, who only disclosed it this week.
While Apple hasn't disclosed how attacks exploiting this vulnerability work due to security reasons we do know that it’s not just iPhones like the iPhone 14 that are affected. Any device not running iOS 16.2 or iPadOS 16.2 could be vulnerable, though Apple did release iOS 15.7.2 as a security-only update for some older devices and perhaps now we know why.
It’s also not just iPhones and iPads that are vulnerable. As many of Apple's products use WebKit, this exploit could impact a wide array of devices. While Apple claims that only versions of iOS prior to iOS 15.1 may have been exploited by malicious actors, we found evidence of a patch for this exploit in the security notes for Safari 16.2, tvOS 16.2 and macOS Ventura 13.1. So make sure you update all of your Apple devices right now just to be safe.