"Apple Fixes 'Actively Exploited' Zero-Day Security Vulnerability Affecting Most iPhones"
Apple has confirmed that a two-week-old iPhone software update fixed a zero-day security vulnerability, which it now says was actively exploited. The update, iOS 16.1.2, was released on November 30 to all supported iPhones, including the iPhone 8 and later, and included unspecified important security updates. According to Apple's security updates page, the update fixed a flaw in WebKit, the browser engine that powering Safari and other apps. If exploited, the flaw could allow malicious code to run on the person's device. Apple stated that the WebKit bug was discovered and reported by security researchers at Google's Threat Analysis Group (TAG), which investigates nation-state-backed spyware, hacking, and cyberattacks. When a user visits a malicious domain in their browser or via the in-app browser, WebKit bugs are often exploited. It is not uncommon for threat actors to discover vulnerabilities in WebKit that can allow them to gain access to the device's operating system and the user's private data. In addition, WebKit flaws can be combined with other flaws to bypass multiple layers of a device's defenses. According to Apple, the vulnerability was exploited against iOS versions prior to iOS 15.1, which was released in October 2021. Apple has also released iOS and iPadOS 15.7.2 to address the WebKit vulnerability in iPhone 6s and later models, as well as some iPad models. This article continues to discuss the actively exploited WebKit vulnerability that Apple has fixed.