iOS 16.6.1—Update Now Warning Issued To All iPhone Users

Apple has issued iOS 16.6.1, an emergency iPhone update you should apply now. That’s because iOS 16.6.1 fixes two serious iPhone flaws, both of which are already being used in real-life attacks.

Apple doesn’t provide much detail about what’s fixed in iOS 16.6.1, to give as many iPhone users time to update before attackers can get hold of the details. However, it has emerged that the flaws fixed in iOS 16.6.1 were used in real-life iPhone attacks to deliver spyware without any interaction from the user.

The first issue patched in iOS 16.6.1 is a flaw in ImageIO, tracked as CVE-2023-41064, which could allow an adversary to execute code via a maliciously crafted image. “Apple is aware of a report that this issue may have been actively exploited,” the iPhone maker said on its support page.

The second security issue fixed in iOS 16.6.1 is a flaw in Apple’s Wallet, tracked as CVE-2023-41061, which could allow an attacker to execute code via a maliciously crafted attachment. Again, Apple warned that it “is aware of a report that this issue may have been actively exploited.”

The iOS 16.6.1 upgrade comes as iOS 17 is due to be released within the coming weeks. Apple must have thought this issue was too important to ignore ahead of the major update of its iOS operating system.

Flaws Used To Deliver iPhone Spyware Fixed In iOS 16.6.1

Spyware such as Pegasus has been in the headlines this past year as it is increasingly being used to target iPhone users. The malware is scary because it allows attackers complete access to your iPhone—even encrypted apps such as WhatsApp—to view, listen to and watch your every move.

The two flaws fixed in iOS 16.6.1 were used for this very purpose, according to security outfit Citizen Lab.

“Last week, while checking the device of an individual employed by a Washington DC-based civil society organization with international offices, Citizen Lab found an actively exploited zero-click vulnerability being used to deliver NSO Group’s Pegasus mercenary spyware,” the security outfit wrote in an advisory.

The attack patched in iOS 16.6.1—dubbed “BLASTPASS” by Citizen Lab—is capable of compromising iPhones running iOS 16.6 without any interaction from the victim, Citizen Lab warned.

According to Citizen Lab, the exploit leveraged PassKit attachments containing malicious images sent from an attacker’s iMessage account to the victim.

“These exploits are usually used against folks with high threat models—people in the public eye, folks working in government, individuals being targeted or harassed by nation state actors, journalists,” security expert Rachel Tobac wrote in a tweet.

“The exploit can be used by an attacker w/out the victim taking an action,” she added.“Here, the attacker can send the attack via iMessage & compromise device to spy/harm.”

Why You Should Update To iOS 16.6.1 Now

Given the seriousness of the flaws, it goes without saying that you should update to iOS 16.6.1 now. Whether you are a target or not, the more information available about the flaws, the more attackers can use them to target iPhone users.

It’s important to update to iOS 16.6.1 as soon as you can, says independent security researcher Sean Wright. While he concedes that attacks using these vulnerabilities are targeted, “it’s still important to update with a sense of urgency.”

There are other steps you can take to stay secure. In addition to updating to iOS 16.6.1, those who think they might be a target can check their device for compromise using a tool such as iVerify. Apple’s Lockdown Mode is also a good idea if your iPhone is at greater risk of attack—but be warned, it does make your device almost unusable.

Wright also warns that the Wallet vulnerability fixed in iOS 16.6.1 is present in Apple Watch—and the ImageIO issue is fixed in a new Mac update, so check and upgrade all your Apple devices.

The iOS 16.6.1 upgrade is available for the iPhone 8 and later, iPad Pro, iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.

If you want to stay secure, you’ll need to upgrade to iOS 16.6.1 manually—even if you have enabled automatic Apple updates, they roll out to iPhones in a gradual process. Go to your iPhone Settings > General > Software Update and download and install iOS 16.6.1 as soon as possible.