On November 30, Apple released the iOS 16.1.2 update, leaving many users and experts wondering why it was necessary to release an update now, instead of waiting on iOS 16.2 to drop. The answer to that conundrum is in.
The iOS 16.1.2 update improved the iPhone 14’s Crash Detection and nondescript carrier upgrades, which aren’t critical issues, to say the least. However, there seemed to be another reason for such a rapid deployment of a patch instead of simply detecting the crashes.
Now, the clandestine reason for the surprise update has come to light, which also explains (at least one) the security update that occurred at the time, which Apple kept quiet about. Following a barrage of updates on December 13, Apple revealed what occurred and it doesn’t sound too great.
The iOS 16.1.2 update fixed a zero-day vulnerability in Apple’s WebKit engine for Safari. This specific vulnerability allowed hackers to run arbitrary code on a user’s Mac due to a type confusion issue and was addressed with improved state handling.
Apple stated that the company is aware of the fact that the issue may have been exploited “against versions of iOS released before iOS 15.1.”
According to MacWorld, “The vulnerability (classified as CVE-2022-42856) was found as part of the Bugzilla program by Clément Lecigne of Google’s Threat Analysis Group. According to Bleeping Computer, this is the 10th zero-day vulnerability Apple has fixed in 2022. A zero-day vulnerability is one that was previously unknown to vendors.”
Apple kept this information hidden for a good two weeks before releasing it to the public. The company felt particularly charitable at the time, so it disclosed additional WebKit flaws on December 13 as part of the Safari 16.2 release in macOS and iOS.
It just goes to show that Macs and iPhones can, at times, be just as vulnerable as other devices.