Tech Gadget Central Latest Tech News and Reviews
Apple has acknowledged that a two-week-old iPhone software update it provided addressed a zero-day security flaw that it now claims was being actively exploited.
The update, known as iOS 16.1.2, was released on November 30 and included unnamed “critical security updates” for all compatible iPhones, including iPhone 8 and later.
Apple claimed the update patched a bug in WebKit, the browser engine that powers Safari and other apps, in a disclosure to its security updates website on Tuesday. If exploited, the bug may have allowed malicious code to run on the user’s device. The vendor has only one day to address the vulnerability, hence the name “zero-day” problem.
According to Apple, the WebKit problem was found and disclosed by security researchers at Google’s Threat Analysis Group, which looks at nation state-sponsored malware, hacking, and cyberattacks.
When a person accesses a malicious domain in their browser, WebKit flaws are frequently exploited (or via the in-app browser). Bad actors frequently discover WebKit-targeted vulnerabilities as a means of accessing the operating system of a device and the personal information of its users. It is possible to “chain” WebKit problems to other flaws to bypass many layers of a device’s security.
In its report on Tuesday, Apple stated that it was informed that the flaw was used “against versions of iOS released before iOS 15.1,” which was made available in October 2021. In order to address the WebKit vulnerability for users of iPhones 6s and later as well as some iPad models and for those who have not yet updated to iOS 16, Apple has published iOS and iPadOS 15.7.2.
The flaw is catalogued as WebKit 247562, or CVE-2022-42856. It’s unclear why Apple suppressed information about the flaw for two weeks. Google and Apple did not respond to a request for comment.
Since then, Apple has launched iOS 16.2, which contains new capabilities like end-to-end encryption for iCloud data backups.
