Although the company released its iOS 16.1.2 update on Nov. 30 — available on Apple’s iPhone 8 and later devices — it only confirmed the security upgrade for the bug on Tuesday.
What We Know About WebKit Bugzilla 248266
In its disclosure, Apple said that Google Threat Analysis Group (TAG) researcher Clément Lecigne uncovered the vulnerability affecting WebKit — tracked as WebKit Bugzilla 248266 or CVE-2022-42856. WebKit is Apple’s web browser engine that powers Safari and iOS apps, and threat actors typically exploit WebKit bugs when a target visits a malicious domain in the browser or through the in-app browser. These bugs are called “zero-day” because the company in question has been given no notice to fix the exploit, which actors may use to breach a device’s operating system and access user data. They can also exploit the bug along with other vulnerabilities to break even further into a victim’s device. “Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1,” the disclosure reads. Apple did not provide any further information on the scope of the attack or any indicators of compromise for defenders to look out for. “For our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available,” the company added.
Apple’s Recent Security Features
Despite marketing itself as a defender of user privacy, Apple’s lineup of products and software have had their fair share of security concerns in recent memory. During the Pegasus saga last year, researchers at Citizen Lab found an exploit “FORCEDENTRY” which was circumventing Apple’s software security feature “BlastDoor.” Attackers used this iMessage vulnerability to install Pegasus spyware onto a Saudi activist’s iPhone. In October 2022, a security researcher found that iOS devices allow certain apps to exchange data with Apple services outside active VPN networks. On a positive note, the tech giant recently announced new security features set to roll out in 2023. These features include granting users the ability to verify their iMessage conversations are private, using physical Security Keys for Apple ID authentication, and end-to-end encryption to protect iCloud data. If you’re an Apple user, make to update to iOS’s latest 16.1.2 version. We also recommend checking out the safety levels of some of Apple’s products, like iCloud and AirTags.