Apple fixes ‘actively exploited’ zero-day affecting most iPhones - TechCrunch

Apple has confirmed that an iPhone bundle update it released 2 weeks agone fixed a zero-day information vulnerability that it present says was actively exploited.

The update, iOS 16.1.2, landed connected November 30 and rolled retired to each supported iPhones, including iPhone 8 and later, with unspecified “important information updates.”

In a disclosure to its information updates leafage connected Tuesday, Apple said the update fixed a flaw successful WebKit, the browser motor that powers Safari and different apps, which if exploited could let malicious codification to tally connected the person’s device. The bug is called a zero-day due to the fact that the vendor is fixed zero days announcement to hole the vulnerability.

Apple said Google’s Threat Analysis Group, which investigates federation state-backed spyware, hacking and cyberattacks, discovered the WebKit bug. 

WebKit bugs are often exploited erstwhile a idiosyncratic visits a malicious domain successful their browser (or via the in-app browser). It’s not uncommon for atrocious actors to find vulnerabilities that people WebKit arsenic a mode to interruption into the device’s operating strategy and the user’s backstage data. WebKit bugs tin beryllium “chained” to different vulnerabilities to interruption done aggregate layers of a device’s defenses.

Apple said contiguous that it is alert that the vulnerability was exploited “against versions of iOS released earlier iOS 15.1,” which was released successful October 2021. As such, and for those who person not yet updated to iOS 16, Apple also released iOS and iPadOS 15.7.2 to hole the WebKit vulnerability for users moving iPhones 6s and aboriginal and immoderate iPad models.

The bug is tracked arsenic CVE-2022-42856, oregon WebKit 247562. It’s not wide wherefore Apple withheld details of the bug for 2 weeks for reasons. A spokesperson for Apple did not instrumentality a petition for comment.

Apple has since released iOS 16.2, which includes end-to-end encryption for information backed up successful iCloud and other caller features.