Apple has recently rolled out an emergency update, iOS 16.6.1, that all iPhone users are strongly advised to install.
This update addresses two critical vulnerabilities that are already being exploited in real-world scenarios.
The urgency of this update cannot be overstated. Apple has been tight-lipped about the specifics of what iOS 16.6.1 fixes, likely to give users ample time to update before attackers can exploit the vulnerabilities further.
However, it has been revealed that these flaws have been used to deliver spyware without requiring any user interaction.
The first vulnerability, identified as CVE-2023-41064, resides in ImageIO and allows attackers to execute malicious code through a specially crafted image.
The second vulnerability, CVE-2023-41061, is found in Apple's Wallet and also permits code execution through a malicious attachment. Apple has acknowledged that both issues may have been actively exploited.
These vulnerabilities have been used to deliver spyware like Pegasus, which grants attackers full access to your iPhone, including encrypted apps like WhatsApp.
Security firm Citizen Lab has reported that these flaws were exploited to deliver NSO Group's Pegasus spyware in an active attack.
Timing of the Update
Interestingly, this emergency update comes just as Apple is gearing up to release iOS 17. This suggests that Apple considered these vulnerabilities too critical to wait for the next major update.
Given the severity of these flaws, it's imperative to update to iOS 16.6.1 as soon as possible. To manually update, navigate to iPhone Settings > General > Software Update and download and install iOS 16.6.1.
