Apple has issued iOS 16.1, and it comes with a warning to update now because the iPhone upgrade fixes 20 security issues—one of which is already being used in attacks.
Apple doesn’t share much detail about what’s been fixed in iOS 16.1, to avoid more adversaries getting hold of the information they need to perform attacks. The already-exploited security issue patched in iOS 16.1 is in the Kernel at the heart of the iPhone operating system.
Tracked as CVE-2022-42827, the vulnerability could allow an attacker to execute code with Kernel privileges via an app. “Apple is aware of a report that this issue may have been actively exploited,” the iPhone maker’s support page reads.
Other iPhone flaws fixed in iOS 16.1 include two more issues in the Kernel, one of which can be exploited remotely. Among the other vulnerabilities patched in iOS 16.1 are several flaws in WebKit, the engine that powers Apple’s Safari browser.
When Apple launched iOS 16, it also updated iOS 15.7 with security fixes for those who want to wait to update to the latest and greatest operating system. At the time of writing, there is no iOS 15.7.1 to fix the same flaws patched in iOS 16.1.
What’s known about the iPhone security issue, CVE-2022-42827?
I always suggest applying important iPhone updates straight away—and iOS 16.1 is no exception since CVE-2022-42827 is being used in real-life attacks. Yes, it’s likely these are targeted at a small number of people—like the Pegasus spyware attacks—but with limited details available, the only way to be sure is to upgrade.
Apple hasn’t said which cybercrime group or spyware company is abusing this bug, Paul Ducklin, a researcher at security firm Sophos writes. However, he warns: “Given the high price that working iPhone zero-days command in the cyber-underworld, we assume that whoever is in possession of this exploit [a] knows how to make it work effectively and [b] is unlikely to draw attention to it themselves, in order to keep existing victims in the dark as much as possible.”
The iOS 16.1 update fixes some high-severity issues that would allow an attacker to gain full access to the device, says independent security researcher Sean Wright. He says an attacker would need to “chain the Kernel level vulnerabilities with some of the other flaws to allow a malicious app to exploit them.”
This could be done remotely via one of the WebKit vulnerabilities, Wright adds.
While attacks using the iOS 16.1 flaws are likely to be targeted at a small subset, some of these vulnerabilities could become more mainstream, Wrights says, adding that you should update “when you can.”
Update to iOS 16.1 to keep your iPhone safe
It’s always a good idea to keep your iPhone up to date, particularly when security flaws are being used in real-life attacks. It’s especially relevant to update to iOS 16.1 now if you are a high-target or business user.
If you have an iPad, Apple has just released iPadOS 16, which fixes the same set of security problems as iOS 16.1.
You know what to do—go to your Settings > General > Software Update and upgrade to iOS 16.1 to keep your iPhone safe.