Apple has just released iOS 16.6.1 and iPadOS 16.6.1, addressing two highly precarious security vulnerabilities within its mobile operating systems.
The first vulnerability tackles a critical issue involving the potential for arbitrary code execution when processing a maliciously crafted image. Apple has acknowledged reports suggesting that this vulnerability, which impacts all recent iPhones and iPads, may have been exploited in real-world scenarios, making it an extremely concerning security flaw.
This particular bug was discovered by Citizen Lab, a security research facility affiliated with the University of Toronto’s Munk School. They provided additional insights into the vulnerability, which they dubbed the “Blastpass Exploit Chain.” Shockingly, this exploit had the capability to compromise iPhones running the latest iOS version (16.6) without requiring any interaction from the device owner.
The vulnerability came to light during an examination of a device owned by an individual associated with a civil society organization based in Washington, DC. On this device, the vulnerability was exploited to deliver the notorious Pegasus spyware.
The second critical bug addressed by the iOS 16.6.1 update may have also been actively exploited. It affected newer iPhones and iPads and allowed hackers to gain control of a target’s phone by sending them a specially crafted attachment.