In what is going to hopefully change into one final iOS 16 replace earlier than iOS 17 is launched this month, Apple has simply launched iOS 16.6.1, an import sub-point launch that fixes a pair of extreme safety flaws in iOS 16.6.
Though late-cycle iOS level releases are often fairly uninspiring, they’re essential to patch vulnerabilities found by safety researchers. Irrespective of how a lot Apple tries to harden its software program towards exploits, it’s unimaginable to catch every little thing in one thing as complicated as iOS. The result’s a cat-and-mouse recreation as safety specialists — hopefully moral, “white hat” hackers — uncover these flaws and report them to Apple to allow them to be patched.
That is exactly why iOS 16.6 was a significant replace; regardless that it carried no user-facing options to encourage of us to replace, it plugged quite a few safety holes, a few of which had already been exploited by malicious hackers to probably compromise customers’ iPhones.
Fortunately, out of 16 safety vulnerabilities mounted in iOS 16.6?, Apple was solely conscious of two flaws being “actively exploited.” To be clear, that doesn’t imply the opposite 14 hadn’t been; merely that Apple and different safety researchers had no proof of this. Nonetheless, as soon as iOS 16.6 was launched together with the record of safety fixes, the cat was out of the bag, giving unhealthy actors a map of learn how to assault gadgets that hadn’t been up to date to iOS 16.6.
The identical is true with two new safety points mounted in iOS 16.6.1 — each of which can have already been actively exploited by mercenary adware.
What’s Mounted in iOS 16.6.1
Particularly, iOS 16.6.1 fixes two vulnerabilities uncovered by Citizen Lab researchers at The College of Toronto?s Munk College of World Affairs and Public Coverage.
The primary, discovered within the ImageIO framework, might enable a maliciously crafted picture posted on a web site or obtained by electronic mail or textual content message to execute arbitrary code in your gadget.
A second flaw present in Apple’s Pockets app might do the identical when receiving a maliciously crafted PassKit attachment, akin to a ticket or loyalty card. Whereas Apple credit itself for locating this one, it additionally acknowledges Citizen Lab for its help.
The 2 flaws are associated to a brand new assault vector found in use by NSO Group’s Pegasus adware. Citizen Lab revealed a information launch at present outlining a brand new BLASTPASS exploit chain present in iOS 16.6 as a “zero-click, zero-day exploit” that’s “able to compromising iPhones operating the newest model of iOS (16.6) with none interplay from the sufferer.”
We confer with the exploit chain as BLASTPASS. The exploit chain was able to compromising iPhones operating the newest model of iOS (16.6) with none interplay from the sufferer. The exploit concerned PassKit attachments containing malicious photographs despatched from an attacker iMessage account to the sufferer.
Citizen Lab
The group at Citizen Lab is utilizing everybody to right away replace their gadgets to iOS 16.6.1 to defend towards this new assault. Additionally they commend Apple for its “speedy investigative response and patch cycle” and “acknowledge the sufferer [of the attack] and their group for his or her collaboration and help” in bringing it to Citizen Lab’s consideration in order that it might be reported to Apple and patched.
Apple’s replace will safe gadgets belonging to common customers, corporations, and governments across the globe. The BLASTPASS discovery highlights the unbelievable worth to our collective cybersecurity of supporting civil society organizations.
Citizen Lab
Citizen Lab additionally encourages those that could face an elevated danger of being focused by Pegasus “due to who they’re or what they do” to allow Apple’s Lockdown Mode.