Apple has released iOS 15.6.1, along with an update warning now, because it fixes two security holes already being used to attack the iPhone.
The first issue fixed in iOS 15.6.1 is a vulnerability in the iPhone kernel, tracked as CVE-2022-32894, which could allow an app to run code with kernel privileges. “Apple is aware of a report that this problem may have been actively exploited,” the iPhone manufacturer says on its support page.
Another problem fixed in iOS 15.6.1 is a flaw in WebKit, the browser that powers Safari, CVE-2022-32893, which could allow arbitrary code execution. Apple says it believes attackers have used it in real-world scenarios.
The iOS 15.6.1 update “provides important security updates and is recommended for all users,” Apple says in its release.
Apple’s iOS 15.6.1 comes a few weeks after iOS 15.6, and is the latest of several iOS fixes for already exploited problems this year.
Update iOS 15.6.1 as soon as you can
Apple isn’t giving more details about the iPhone vulnerabilities patched in iOS 15.6.1 to avoid getting the details into the hands of more attackers. But it goes without saying that this update is a big one, and without information about who is the target, the smartest thing to do is to make the update now.
“Apple iOS 15.6.1 is an important update,” says independent security researcher Sean Wright. He says it’s possible the two vulnerabilities “could be linked together to allow attackers to remotely gain full access to victims’ devices.” With that in mind, he recommends you update your iPhone to iOS 15.6.1 as soon as possible.
I agree. Some people don’t like to update iPhone versions right away to wait for any bugs to be fixed. However, I recommend you make an exception and update iOS 15.6.1-problems in the kernel are about as bad as you can get, so it’s not worth the risk.
So what are you waiting for? Go to your iPhone settings > General > Software Update and download and install iOS 15.6.1 now.
August Update:
Security company Sophos has shed light on how the fixed flaws in iOS 15.6.1 may have led to actual attacks. In a recent blog post, Sophos chief scientist Paul Ducklin explains how the CVE-2022-32893 flaw in WebKit, which underpins the Safari browser, could allow “web mining” to cause iPhones, iPads and Macs to run unauthorized and untrusted software code. “Simply put, a cybercriminal can inject malware onto your device even if all you’ve done is browse an innocent Web page,” he says.
He also warns that avoiding Safari won’t help. “The vulnerability potentially affects many more applications and system components than just Apple’s own Safari browser.”
The second vulnerability, patched in iOS 15.6.1, tracked as CVE-2022-32894, could allow an attacker who has already gained a baseline foothold on an Apple device using the WebKit bug “to go from managing just one app to taking over the operating system core itself.”
This is a kind of “administrative superpowers” usually reserved for Apple itself, Dakin explains.
It could allow an attacker to spy on apps, access data on the device, change security settings, read messages and activate the camera and microphone. Scary stuff.
There are hints that the flaws fixed in iOS 15.6.1 will be used to perform a very targeted attack to install spyware on a device typically used against high-profile targets such as dissidents and journalists.
“A working WebKit RCE followed by a working kernel exploit, as seen here, usually provides all the features needed to mount a device jailbreak (so deliberately bypassing almost all the security restrictions Apple has imposed), or install spyware and keep you under surveillance,” Dakin says.
He urges people to update to iOS 15.6.1 immediately.
Don’t forget to update all Apple devices, as the iPhone maker has also released iPadOS 15.6.1, Watch 8.7.1 and macOS Monterey 12.5.1.
