iOS 16

iOS 16.6 brings 25 security fixes

iOS 16.5.1 brings important security fixes

Apple has released iOS 16.6, bringing important bug fixes and security updates, two of which are already being used in real-life attacks.

Among the issues patched in iOS 16.6 are 11 in the Kernel at the heart of the iPhone operating system and eight in WebKit, the engine that underpins Apple’s Safari browser.

While Rapid Security Response fixes are security-only emergency updates, Apple usually waits for major point upgrades like iOS 16.6 for the bulk of its patches. If you’ve already applied 16.5.1 (c), it has fixed the already exploited WebKit vulnerability listed in iOS 16.6, CVE-2023-37450.

Tracked as CVE-2023-38606, the Kernel bug already being used in attacks has been fixed in iOS 16.6.

“An app may be able to modify sensitive Kernel state,” Apple said on its support page, adding that it “is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.”

The Kernel flaw fixed in iOS 16.6 is the third iOS issue discovered by security outfit Kaspersky as part of what it calls Triangulation spyware attacks, which plant malware on people’s iPhones without the need for any interaction from the user.

iOS 16.6 Security Fixes

Apple Neural Engine

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

Find My

Impact: An app may be able to read sensitive location information

Description: A logic issue was addressed with improved restrictions.

Kernel

Impact: A remote user may be able to cause unexpected system termination or corrupt kernel memory

Description: A buffer overflow issue was addressed with improved memory handling.

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: An integer overflow was addressed with improved input validation.

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds write issue was addressed with improved input validation.

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

Impact: An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1. 

Description: This issue was addressed with improved state management.

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

Impact: A user may be able to elevate privileges

Description: The issue was addressed with improved checks.

Impact: A remote user may be able to cause a denial-of-service

Description: The issue was addressed with improved checks.

libxpc

Impact: An app may be able to gain root privileges

Description: A path handling issue was addressed with improved validation.

Impact: An app may be able to cause a denial-of-service

Description: A logic issue was addressed with improved checks.

NSURLSession

Impact: An app may be able to break out of its sandbox

Description: The issue was addressed with improvements to the file handling protocol.

WebKit

Impact: A website may be able to track sensitive user information

Description: A logic issue was addressed with improved state management.

Impact: Processing a document may lead to a cross site scripting attack

Description: This issue was addressed with improved checks.

Impact: Processing web content may lead to arbitrary code execution

Description: A logic issue was addressed with improved restrictions.

Impact: A website may be able to bypass Same Origin Policy

Description: The issue was addressed with improved checks.

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved checks.

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved checks.

This issue was first addressed in Rapid Security Response iOS 16.5.1 (c) and iPadOS 16.5.1 (c).

WebKit Process Model

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved checks.

WebKit Web Inspector

Impact: Processing web content may disclose sensitive information

Description: The issue was addressed with improved checks.

iOS 16.6 Supported Devices

iOS 16.5 will run on all iPhones from iPhone 8 onwards. To be exact:

  • iPhone 14
  • iPhone 14 Plus
  • iPhone 14 Pro
  • iPhone 14 Pro Max
  • iPhone 13
  • iPhone 13 mini
  • iPhone 13 Pro
  • iPhone 13 Pro Max
  • iPhone 12
  • iPhone 12 mini
  • iPhone 12 Pro
  • iPhone 12 Pro Max
  • iPhone 11
  • iPhone 11 Pro
  • iPhone 11 Pro Max
  • iPhone Xs
  • iPhone XS Max
  • iPhone XR
  • iPhone X
  • iPhone 8
  • iPhone 8 Plus
  • iPhone SE (2nd generation or later)

As normal, to update to iOS 16.6 go to your iPhone Settings > General > Software Update and install iOS 16.6 when you can.