Apple has issued iOS 16.6 along with a warning to update now. That’s because the iOS 16.6 update fixes a hefty 25 iPhone security flaws, two of which are already being used in real-life attacks.
Among the issues patched in iOS 16.6 are 11 in the Kernel at the heart of the iPhone operating system and eight in WebKit, the engine that underpins Apple’s Safari browser.
Apple doesn’t give away much information about what’s fixed in iOS 16.6, to allow as many iPhone users as possible to update before more attackers can get hold of the details. But the iPhone maker says: “This update provides important bug fixes and security updates and is recommended for all users.”
The iOS 16.6 upgrade comes just two weeks after the release of iOS 16.5.1 (c)—Apple’s second Rapid Security Response Update it had to issue twice after the first version came with a serious bug.
While Rapid Security Response fixes are security-only emergency updates, Apple usually waits for major point upgrades like iOS 16.6 for the bulk of its patches. If you’ve already applied 16.5.1 (c), it has fixed the already exploited WebKit vulnerability listed in iOS 16.6, CVE-2023-37450.
Tracked as CVE-2023-38606, the Kernel bug already being used in attacks has been fixed in iOS 16.6. “An app may be able to modify sensitive Kernel state,” Apple said on its support page, adding that it “is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.”
The Kernel flaw fixed in iOS 16.6 is the third iOS issue discovered by security outfit Kaspersky as part of what it calls Triangulation spyware attacks, which plant malware on people’s iPhones without the need for any interaction from the user.
Issues Fixed In iOS 16.6 Are “Pretty Severe”
Flaws such as the issues fixed in iOS 16.6 are sometimes used in attacks using spyware to take control of someone’s iPhone—usually aimed at businesses, government workers and dissidents.
Independent security researcher Sean Wright says the issues fixed in iOS 16.6 are “pretty severe vulnerabilities.”
He says the already-exploited WebKit flaw “can be chained with the Kernel vulnerability” to take control of your device.
Wright warns vulnerabilities of the iPhone’s Kernel “are concerning since this is the heart of the operating system and has many security controls in it.”
“The ability to bypass these controls could be significant, from a security perspective,” says Wright. “Combine these two vulnerabilities with the others, and an attacker could gain full control over a victim’s device.”
Why You Need To Update To iOS 16.6 Now
It’s a good idea to update to iOS 16.6 now, if possible. Wright says there is no need to panic, but “update as soon as you can.”
It’s also worth considering that even if you have Automatic Updates enabled, iOS 16.6 could take a while to reach your device. That means you must check in your Settings for the update and apply it yourself to ensure optimum security.
The iOS 16.6 update is available for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later. Apple also released iOS 15.7.8 and iPadOS 15.7.8 for older device models.
You know what to do. Go to your Settings > General > Software Update and download and install iOS 16.6 now to keep your iPhone safe.