When iOS 16.1.2 came out on November 30, we weren’t quite sure why Apple couldn’t wait for iOS 16.2, which was just around the corner. At the time, Apple’s release notes said the update included improvements to the iPhone 14’s Crash Detection and unobtrusive carrier upgrades, neither of which seemed very urgent.
But there was a hidden reason for Apple to release the update when it did. At the time, we knew there was at least one security update, but Apple refused to tell us which one. As part of the flood of updates yesterday, Apple revealed the reason for the updates and it’s a doozy.
The update fixes a zero-day vulnerability in Apple’s WebKit engine for Safari that could allow a hacker to execute arbitrary code on your Mac. The error is due to a type confusion issue and has been addressed through improved status handling. Apple says it’s aware of a report that this issue may have been actively exploited “against versions of iOS released before iOS 15.1.”
The vulnerability (classified as CVE-2022-42856) was found as part of the Bugzilla program by Clément Lecigne of Google’s Threat Analysis Group. According to Bleeping Computer, this is the 10th zero-day vulnerability Apple has patched in 2022. A zero-day vulnerability is one that was previously unknown to vendors.
It’s not clear why Apple hasn’t revealed this bug for two weeks, but it’s one of the few times it has. Apple also revealed numerous WebKit bugs as part of the Safari 16.2 release in macOS and iOS yesterday.
