Apple has confirmed that an iPhone software update it released two weeks ago fixed a zero-day security vulnerability that it now says was actively exploited.
The update, iOS 16.1.2, landed on November 30 and rolled out to all supported iPhones, including iPhone 8 and later, with unspecified “important security updates.”
In a disclosure to its security updates page on Tuesday, Apple said the update fixed a flaw in WebKit, the browser engine that powers Safari and other apps, which if exploited could allow malicious code to run on the person’s device. The bug is called a zero-day because the vendor is given zero days notice to fix the vulnerability.
Apple said Google’s Threat Analysis Group, which investigates nation state-backed spyware, hacking and cyberattacks, discovered the WebKit bug.
WebKit bugs are often exploited when a person visits a malicious domain in their browser (or via the in-app browser). It’s not uncommon for bad actors to find vulnerabilities that target WebKit as a way to break into the device’s operating system and the user’s private data. WebKit bugs can be “chained” to other vulnerabilities to break through multiple layers of a device’s defenses.
Apple said today that it is aware that the vulnerability was exploited “against versions of iOS released before iOS 15.1,” which was released in October 2021. As such, and for those who have not yet updated to iOS 16, Apple also released iOS and iPadOS 15.7.2 to fix the WebKit vulnerability for users running iPhones 6s and later and some iPad models.
The bug is tracked as CVE-2022-42856, or WebKit 247562. It’s not clear why Apple withheld details of the bug for two weeks for reasons. A spokesperson for Apple did not return a request for comment.
Apple has since released iOS 16.2, which includes end-to-end encryption for data backed up in iCloud and other new features.