When iOS 16.1.2 arrived on November 30, we weren’t entirely sure why Apple couldn’t wait until iOS 16.2, which was right around the corner. At the time, Apple’s release notes said the update contained improvements to the iPhone 14’s Crash Detection and nondescript carrier upgrades, neither of which seemed very pressing.
But there was a hidden reason for Apple to push out the update when it did. At the time, we knew there was at least one security update, but Apple declined to tell us what it was. As part of the flurry of updates yesterday, Apple disclosed the reason for the updates and it’s a doozy.
The update fixes a zero-day vulnerability in Apple’s WebKit engine for Safari that could allow a hacker to execute arbitrary code on your Mac. The flaw is due to a type confusion issue and was addressed with improved state handling. Apple says it is aware of a report that this issue may have been actively exploited “against versions of iOS released before iOS 15.1.”
The vulnerability (classified as CVE-2022-42856) was found as part of the Bugzilla program by Clément Lecigne of Google’s Threat Analysis Group. According to Bleeping Computer, this is the 10th zero-day vulnerability Apple has fixed in 2022. A zero-day vulnerability is one that was previously unknown to vendors.
It’s not clear why Apple didn’t divulge this bug for two weeks, but it’s one of the only times it’s done so. Apple also disclosed numerous WebKit flaws yesterday as part of the Safari 16.2 release in macOS and iOS.