Since iOS 15.6.1 closes two security weaknesses that have already been exploited to target iPhones, Apple has issued it along with a caution to update immediately.
A vulnerability in the iPhone Kernel identified as CVE-2022-32894, which might allow an application to run code with kernel privileges, is the first problem patched in iOS 15.6.1. The iPhone manufacturer notes on its support page that it is “aware of a report that this problem may have been actively exploited.”
The other problem fixed in iOS 15.6.1 is CVE-2022-32893, a vulnerability in WebKit, the browser engine that drives Safari. This bug might lead to arbitrary code execution. Apple claims that it thinks intruders have exploited it in actual situations.
According to Apple’s press release, the iOS 15.6.1 upgrade “provides crucial security improvements and is recommended for all customers.”
Apple’s iOS 15.6.1, released only a few weeks after iOS 15.6, is the most recent of several iOS updates this year that correct vulnerabilities that have already been exploited.
As soon as you can, update to iOS 15.6.1.
To prevent more attackers from obtaining the information, Apple withholds any additional information regarding the iPhone vulnerabilities resolved in iOS 15.6.1. But it should go without saying that this change is significant, and without knowing who the target is, updating right now makes the most sense.
According to independent security researcher Sean Wright, Apple iOS 15.6.1 is a significant release. The two flaws “may be coupled together to allow attackers to remotely get complete access to victims’ devices,” the author speculates.
In light of this, he urges you to update your iPhone as soon as possible to iOS 15.6.1.
I concur. Some individuals prefer to wait for any flaws to be fixed before updating new iPhone versions. However, I advise you to make an exception and update to iOS 15.6.1 because kernel-related problems are currently at their worst and are not worth the risk.
So why are you still waiting?
Download and install iOS 15.6.1 right now by going to Settings > General > Software Update on your iPhone.
Updated on August 19:
The iOS 15.6.1 security weaknesses have been addressed, but security firm Sophos has provided some insight into how they might have resulted in actual assaults. Paul Ducklin, the lead research scientist at Sophos, describes how a “booby-trapped web page” might deceive iPhones, iPads, and Macs into running unapproved and untrusted software programs using the WebKit CVE-2022-32893 flaw, which powers the Safari browser. Simply said, even if all you did was read an otherwise harmless online page, a cybercriminal might install malware on your device, according to him.
He also cautions that staying away from Safari won’t help. More apps and system components than simply Apple’s own Safari browser could be impacted by the vulnerability.
After successfully exploiting the WebKit problem to acquire a basic foothold on an Apple device, an attacker may be able to “move from controlling just a single app to taking over the operating system kernel itself” using the second vulnerability addressed in iOS 15.6.1, identified as CVE-2022-32894.
According to Durkin, these are the kinds of “administrative superpowers” that Apple typically reserves for itself.
An attacker might then be able to read your messages, turn on your camera and microphone, access your device’s data, change your security settings, and spy on apps. Very spooky.
There are indications that the vulnerabilities fixed in iOS 15.6.1 might be used to launch a highly targeted assault and secretly install spyware on a target device—a tactic normally employed against prominent targets like journalists and dissidents.
According to Durkin, “a working WebKit RCE followed by a working kernel exploit, as seen here, typically provides all the functionality needed to mount a device jailbreak (thus purposefully bypassing almost all Apple-imposed security restrictions) or to install background spyware and keep you under extensive surveillance.
He exhorts everyone to update right away to iOS 15.6.1.
Don’t forget to update all of your Apple devices, as the company that makes the iPhone has also launched watchOS 8.7.1, iPad 15.6.1, and macOS Monterey 12.5.1.
Join me on LinkedIn or Twitter.