August 19 update below. This post was first published on August 17, 2022.

Apple has released iOS 15.6.1, along with a warning to update now, because it fixes two security holes already being used to attack iPhones.

The first issue fixed in iOS 15.6.1 is a vulnerability in the iPhone Kernel tracked as CVE-2022-32894 that could allow an application to execute code with kernel privileges. “Apple is aware of a report that this issue may have been actively exploited,” the iPhone maker says on its support page.

The other issue patched in iOS 15.6.1 is a flaw in WebKit, the browser engine that powers Safari, CVE-2022-32893, that could allow arbitrary code execution. Apple says it believes attackers have used it in real-life scenarios.

The iOS 15.6.1 upgrade “provides important security updates and is recommended for all users,” Apple says in its release.

Apple’s iOS 15.6.1 comes just weeks after iOS 15.6, and is the latest of multiple iOS fixes for already exploited issues this year.

Apple has released iOS 15.6.1, along with a warning to update now, because it fixes two security … [+] holes already being used to attack iPhones.

Apple doesn’t give any more details about the iPhone vulnerabilities fixed in iOS 15.6.1, to avoid more attackers getting hold of the details. But it goes without saying that this update is a big one, and without information about who is a target, the most sensible thing to do is update now.

“Apple iOS 15.6.1 is an important update,” says independent security researcher Sean Wright. He says it’s possible the two vulnerabilities “could be chained together to allow attackers to remotely gain full access to victims’ devices.”

Taking this into account, he recommends you update your iPhone to iOS 15.6.1 as soon as possible.

I agree. Some people don’t like to update to iPhone versions straight away to wait for any bugs to be ironed out. However, I recommend you make an exception and update to iOS 15.6.1—issues in the Kernel are about as bad as you can get, so it’s not worth taking the risk.

So what are you waiting for? Go to your iPhone Settings > General > Software Update and download and install iOS 15.6.1 now.

August 19 update:

Security company Sophos has shed some light on how the patched iOS 15.6.1 flaws could have led to real-life attacks. In a newly-published blog, Sophos principal research scientist Paul Ducklin explains how the CVE-2022-32893 flaw in WebKit, which underpins the Safari browser, could allow a “booby trapped web page” to trick iPhones, iPads and Macs into running unauthorised and untrusted software code. “Simply put, a cybercriminal could implant malware on your device even if all you did was view an otherwise innocent web page,” he says.

He also warns that avoiding Safari won’t help. “The vulnerability potentially affects many more apps and system components than just Apple’s own Safari browser.”

The second vulnerability patched in iOS 15.6.1, tracked as CVE-2022-32894, could allow an attacker who has already gained a basic foothold on an Apple device by exploiting the WebKit bug “to jump from controlling just a single app to taking over the operating system kernel itself.”

These are the sort of “administrative superpowers” normally reserved for Apple itself, Duckin explains.

This could allow an attacker to spy on apps, access the data on your device, change your security settings, read your messages and activate your camera and mic. Scary stuff.

There are hints that the flaws patched in iOS 15.6.1 would be used to perform a very targeted attack to install spyware on a device—typically used against high-profile targets such as dissidents and journalists.

“A working WebKit RCE followed by a working kernel exploit, as seen here, typically provides all the functionality needed to mount a device jailbreak (therefore deliberately bypassing almost all Apple-imposed security restrictions), or to install background spyware and keep you under comprehensive surveillance,” says Duckin.

He urges people to update to iOS 15.6.1 straight away.

Remember to update all your Apple devices, as the iPhone maker also released iPadOS 15.6.1, watchOS 8.7.1 and macOS Monterey 12.5.1.

source