It’s time to immediately update your iPhone software again, as a major new security exploit has been patched. Apple released security updates (iOS 16.6.1 and iPadOS 16.6.1) on Thursday that patch two zero-day exploits, meaning hacking techniques that were unknown at the time Apple found out about them — used against a member of a civil society organization in Washington, D.C., according to the researchers who found the vulnerabilities.
One flaw fixes an issue in which “processing a maliciously crafted image may lead to arbitrary code execution.” Apple says it’s aware of a report that this issue, which affects all newer iPhones and iPads, may have been actively exploited in the wild, which makes it the worst kind of security flaw.
The bug was found by the University of Torontoʼs Munk School security research facility Citizen Lab, which shared some more info on how it works and who’s affected. Apparently, this exploit (which Citizen Lab named the Blastpass Exploit Chain) was capable of compromising iPhones running the latest version of iOS (16.6). Worse, it could do this without any interaction from the victim.
The flaw was found while checking the device owned by a person employed by a civil society organization based in Washington DC. On their device, the vulnerability was used to deliver the notorious Pegasus spyware.
The new iOS 16.6.1 patch fixes another critical bug, which also may have been actively exploited. It affects newer iPhones and iPads, and it also means a hacker could take over someone’s phone by sending them a maliciously crafted attachment.
You can (and should) update your devices now by going to Settings – General – Software Update.