Apple fixes two exploited vulnerabilities in iOS 16.6 security update

Just after releasing iOS 16.6 and iPadOS 16.6 to the public, Apple has revealed the security-related content within the update. Posted to the online support pages, Apple has, as usual, listed all of the included issues, including how they could impact users and systems, and crediting researchers involved in their discovery.

The list for iOS 16.6 and iPadOS 16.6 is headed up by an unusual listing, for Apple Neural Engine. The issue that had the potential to execute "arbitrary code with kernel privileges has been addressed with "improved memory handling."

For Find My, it was found that an app had the potential to read sensitive location information. Improved restrictions were applied to a "logic issue" to fix it.

Of the 16 fixes included in the release, six were related to WebKit, including one where a website could bypass "Same Origin Policy," as well as more typical problems involving arbitrary code execution. Issues were also found under the WebKit Process Model and WebKit Web Inspector.

Five are listed as Kernel updates, with a mix of privilege escalations and code execution issues.

In the list, Apple does denote that two fixes relate to flaws that may have been used in exploits against iOS.

One, for the Kernel, says an app could modify a sensitive kernel state, and that it "may have been actively exploited against versions of iOS released before iOS 15.7.1." The malware was publicly reported on June 1, and was identified by Kaspersky.

The second, under WebKit, is also labeled as having been actively exploited in the past. In this case, the flaw refers to how the processing of web content could lead to code execution.

As well as iOS 16.6 and iPadOS 16.6, Apple also distributed lists of security fixes for its other releases, including macOS Ventura, tvOS 16.6, watchOS 9.6, and releases for earlier operating systems.

AppleInsider recommends that users install updates from software providers, such as Apple, as soon as is practicable to maintain the security of their systems and data. Regular backups of data is also strongly recommended.