In last week’s iOS 16.3.1, Apple brought multiple security patches to iPhone and iPad users. Apple has now updated its security web page to reveal which vulnerabilities were fixed in the latest iOS update.
Apple’s website to learn that Apple has added a new Common Vulnerability Disclosure (CVE) for iOS 16.3.1, adding three new CVEs to the January release of iOS 16.3.
The new vulnerabilities listed by Apple as patched in iOS 16.3.1 relate to “maliciously crafted certificates” that could lead to a denial-of-service (DoS) attack, in which an attacker finds a way to stop a target machine from providing service, and is a common attack method used by hackers. Apple says the DoS issue has been fixed with “improved input validation”.
In addition, the security content page for iOS 16.3 has been updated to show that three new vulnerabilities have been fixed. One of the vulnerabilities was found in the system’s Crash Reporter, which could allow an attacker to read arbitrary files as root. The other two Foundation-related vulnerabilities could allow an attacker with elevated privileges to execute arbitrary code on an iPhone or iPad, bypassing the application’s sandbox.
It’s unclear exactly why Apple hasn’t mentioned such security vulnerabilities before. But it is worth noting that these vulnerabilities have been fixed in iOS 16.3.1, which is now available to all users. With macOS 13.2.1 and iOS 16.3.1, Apple has also fixed a security vulnerability related to WebKit (the Safari web browser engine) that was “actively exploited.
