Apple iOS updates tend to get little hype unless they contain flashy changes, such as new features or emoji, but yesterday's (Jan. 23) iOS 10.2.1 update is a must-download for more immediate reasons.
In Apple's documentation of the security-related contents of iOS 10.2.1, the company notes solutions to 18 common vulnerabilities and exposures (CVEs), the formal name for security flaws. Of those, a whopping 11 relate to WebKit, the widely-used browser engine found in Safari for iOS, the App Store and many iOS apps, which could become a target for attackers looking for devices that haven't been updated.
To install iOS 10.2.1, open Settings, tap General, tap Software Update and follow the instructions. We suggest backing your device up via iCloud or iTunes prior to installing the update. We haven't seen anyone publish the exploits for these attacks, but now that they're known to exist, we suspect online troublemakers are looking to start taking advantage of them.
Seven of the WebKit CVE flaws closed by iOS 10.2.1 allowed for "maliciously crafted web content" to execute code on your device. This could come in the form of an attack where a user is manipulated into opening a website that they think is safe, but then installs malware onto the device.
Two other CVE flaws resolved by iOS 10.2.1 appear to be potentially scarier, as they allowed for attackers to install software with the highest level of access. These kernel-privileges installations could do the most damage, collecting data from your phone's storage, camera and microphone in the background and transmitting it back to home base.
Another patched flaw would unlock an iOS device's screen even without an Apple Watch nearby, while a second flaw let a unauthorized user briefly open the home screen on a locked device. Researchers from Google's Project Zero team had a hand in finding nine of the patched vulnerabilities.
The iOS 10.2.1 update is available for iPhone 5 and later, iPad fourth-generation and later and iPod touch sixth-generation and later.
Some of the same flaws were also patched yesterday in a macOS security update.