Apple Fixes WebKit Vulnerability in iPhones and MacBooks With New Update
Apple has just released a new update to fix an issue that can allow third-party websites to steal private data from iPhones and MacBooks. The problem is based on a vulnerability in the WebKit library. According to the company, a recent update to iOS 16.1 and macOS Big Sur 11.7 fixes this issue.
iOS 15.6.1
A new security update by Apple fixes two major flaws, which could enable attackers to run malicious software on your iPhone or MacBook. The bugs are related to the kernel and WebKit software, and could be used to steal your personal data, change security settings, or spy on your apps.
The kernel is the heart of your computer’s operating system. The latest version fixes the bug that allowed a bad actor to run arbitrary code.
The bug was triggered by booby trapped web pages, which tricked devices into running the wrong code. One exploit allowed the hackers to run background spyware on the device. Another allowed them to gain full admin access.
The newest version of iOS fixes the bug that allowed a malicious application to run arbitrary code. However, there is no guarantee that any particular version of the software will be exploited in the wild.
In fact, there have been more than a few reports of similar flaws. For instance, the JavaScript bug was uncovered earlier this month.
Meanwhile, the new iOS update fixes a flaw in the WebKit engine, which powers browsers on iOS. This flaw can be exploited to inject malicious crafted web content into your browser, which could potentially execute arbitrary code on your phone.
iOS 16.1 beta 5
In addition to the release of iOS 16.1, Apple has fixed a bug that has been affecting iPhones and MacBooks for years. The bug involves a WebKit engine that renders graphical interfaces. This is a relatively simple vulnerability, but it can allow an attacker to gain kernel privileges and execute code on a device.
It is classified as a Bugzilla vulnerability, so it should be patched in a future update. Apple also disclosed two other vulnerabilities in the past two weeks.
The first is a logic error that allows an attacker to bypass restrictions on debug system calls. If an attacker can successfully access the memory of a device with NTLM authentication, they can run code.
Another vulnerability concerns mounting malicious disk images. That can lead to arbitrary code execution and a shutdown of the device.
One of the more interesting changes in iOS 16 is the inclusion of a new app interface class that is related to graphics. These functions have not been identified yet, but they are likely related to wireless connectivity and tethering.
Users can now enable the LED camera flash for incoming messages and calls. Additionally, the Location Services cache is now deleted when the Location Services feature is disabled.
Finally, iOS 16.2 includes a new Apple app. This app is known as “Custom Accessibility Mode,” but it’s not live in the software yet.
Backported patches for macOS Big Sur 11.7
The latest update for macOS Big Sur brings several security fixes and bug fixes. It is recommended for all Mac users. However, some features may not be available in all regions.
One of the most important updates includes an updated fix for a kernel flaw. This flaw could allow malicious apps to execute arbitrary code with kernel-level privileges.
Other security fixes include the fix for the Sandbox issue. This also includes improved data protection.
macOS Big Sur also comes with new blurs and a revamped Time Machine backup mechanism. Apple has also updated its Apple News widgets and AirPods Max support. For iPhone users, there are more voice options for Siri. Some features require an Apple ID.
Additionally, Apple has backported the CVE-2022-32894 fix for iOS 15.6.1 to macOS Big Sur 11.7 today. This fixes a zero day vulnerability, but it only applies to devices running iOS 15.6, as well as a subset of iOS 16.
A second zero day was addressed in iOS 12.6, but it is still in the wild. Those who were using iOS 12.6, or any older supported version, should update immediately.
Although these issues are known as Apple zero days, they were exploited against non-Apple devices. These are vulnerabilities that are usually used in highly targeted attacks. Usually, the only way to stay safe from these types of threats is to stay on the latest OS version.