Apple has released iOS 16.2, the latest software update for iPhone and iPad, which fixes multiple security vulnerabilities, including several that could allow cyber attackers to run commands and take control of devices.
Among the vulnerabilities are CVE-2022-46689, a security flaw in the kernel -- the core of the operating system -- that could enable the execution of arbitrary code. Another flaw in the kernel -- CVE-2022-42842 -- could allow a remote user to execute code remotely.
The update also fixes several security vulnerabilities in WebKit, which powers web browsers on iOS and iPadOS. These include four different security issues -- CVE-2022-42867, CVE-2022-46691, CVE-2022-46696 and CVE-2022-46700 -- that are all flaws in WebKit, which could allow attackers to direct users to maliciously crafted web content and that might lead to arbitrary code execution.
Among the other flaws addressed by the latest security update are CVE-2022-42846, a vulnerability in the graphics driver that could lead to a maliciously crafted video file, which results in unexpected system termination, along with CVE-2022-42837, a flaw in the iTunes store, which could allow a remote user to cause unexpected app termination or arbitrary code execution.
Full details of the vulnerabilities addressed in the 16.2 update aren't available yet. "For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available," said Apple in a document disclosing the vulnerabilities.
The latest list of security updates also reveals information about iOS 16.1.1, a security update for iPhone exclusively, which was released last month. At the time, Apple didn't reveal any information about why this was happening, only stating that it was important and that users should update as soon as possible.
Now it's been disclosed that the update addressed a security vulnerability that was actively being used by cyber attackers to target iPhones. CVE-2022-42856 affects iPhone 8 and later and is a bug which -- by tricking the user into allowing it -- enables the processing of maliciously crafted web content that could lead to arbitrary code execution.
The vulnerability was discovered by Google Project Zero, Google's cybersecurity vulnerability-hunting team, although full details about the flaw, who was using it and who was being targeted, have yet to be disclosed.
In order to protect against all the vulnerabilities, it's recommended that users apply the updates when they can.
"CISA encourages users and administrators to review the Apple security updates page for the following products and apply the necessary updates as soon as possible," said the CISA alert about the security updates.