Skip to content
Naked Security Naked Security

Apple patches everything, finally reveals mystery of iOS 16.1.2

There's an update for everything this time, not just for iOS.

Apple has just published a wide range of security fixes for all its supported platforms, from the smallest watch to the biggest laptop.

In other words, if you’ve got an Apple product, and it’s still officially supported, we urge you to do an update check now.

Remember that even if you’ve set your iDevices to update entirely automatically, doing a manual check is still well worth it, because:

  • It ensures that you catch up if something went wrong with your last automatic update.
  • It jumps you to the head of the queue so that even if you haven’t yet been alerted to the update by Apple, you’ll be able to get it at once anyway.

What you need

To summarise, the versions you want to see after you’ve upgraded are as follows:

  • macOS Ventura 13.1
  • macOS Monterey 12.6.2
  • macOS Big Sur 11.7.2
  • tvOS 16.2
  • watchOS 9.2
  • iOS 16.2 (recent devices only)
  • iPadOS 16.2 (recent devices only)
  • iOS 15.7.2 (earlier devices, back to iPhone 6s)
  • iPadOS 15.7.2 (earlier devices, including iPod touch 7th gen)

If you’ve got Big Sur or Monterey, you’ll also need a separate update to take you to Safari 16.2 to fix a number of browser and web-rendering bugs. (Other platform updates get their Safari fixes bundled in.)

Mystery explained

Amusingly, if that’s the right word, some of the the mystery surrounding Apple’s recent iOS 16.1.2 update, which came out all on its own, with no supporting documentation at all, has belatedly been revealed:

https://nakedsecurity.sophos.com/2022/12/02/apple-pushes-out-ios-security-update-thats-more-tight-lipped-than-ever/

A bug in WebKit, Apple’s web rendering engine, known as CVE-2022-42856, apparently showed up in an exploit being used in the wild, and although that bug has now been patched in all the abovementioned updates (except watchOS)…

…it seems that the known exploit only worked on iOS.

Of course, given that the update advisories now explicitly state that the exploit actually only worked “against versions of iOS released before iOS 15.1”, we still don’t know why iOS 16 users got an update while iOS 15 users didn’t.

Perhaps Apple was hoping that some users who were still back on iOS 15, and thus potentially vulnerable, would jump to iOS 16 and get themselves as up-to-date as possible?

Or perhaps the iOS 16.1.2 update was merely a precaution that took less time to push out than it did for Apple to ensure that iOS 16 was not, in fact, at risk?

What to do?

  • On your iPhone or iPad: Settings > General > Software Update
  • On your Mac: Apple menu > About this Mac > Software Update…

2 Comments

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?