Apple updates iOS with enough regularity that it begins to feel routine. And most time, it is, especially the farther you get from the company’s yearly, feature-packed version overhauls. iOS 10.2.1, released today, is not routine. In fact, it’s very important that you download it as soon as you reasonably can.
Most iOS updates involve security fixes of varying severity. iOS 10.2.1, though, protects against a wide range of potentially devastating attacks.
Apple details over a dozen vulnerabilities in all in the iOS 10.2.1 release, including 11 focused around WebKit, the browser engine behind Safari, the App Store, and lots of iOS apps. They also include two instances in which a malicious application could execute arbitrary code with kernel privileges, which is to say, it could take complete control of your device.
“It can add files, delete files, or execute any actions,” says JP Taggart, senior security researcher at Malwarebytes. “Want to record conversations and forward them to someone else? It can do that. Want to install additional malicious software? It can do that. Want to uninstall programs on the affected phone? It can do that. Want to hide these actions, programs and files from the user? It can do that too.”
Several of the WebKit vulnerabilities can also lead to arbitrary code execution, and may be even more alarming. That’s because while Apple can limit the number of malicious apps in its ecosystem through App Store vetting, WebKit presents a less filtered opportunity for malice.
If there’s a bright side to the update announcement, it’s that it took some of the best researchers to find them. Google’s Project Zero, in particular, reported nine of the vulnerabilities. It’s impossible to know for sure, but that makes it unlikely that either awareness or use of these opportunities were widely known among bad actors.
“These were some top notch hackers who found them, so the bar was quite high,” says iOS forensics expert Jonathan Zdziarski.
If they were used, says Taggart, it would most likely have been by nation-states against high-profile targets. And there’s likely not enough information in Apple’s disclosure to start a broader rash of attacks in the near future.
Still, all it takes to be sure in your security is a quick firmware update. When you have a good Wi-Fi connection, go to Settings > General > Software Update. Tap Download and Install. Go get a coffee or something, and by the time you’re back, you should be all patched up. (You can also update through iTunes, if you insist.)
Do it today, if you can. While the bad guys may not know exactly how to compromise your iPhone, they know that it’s possible. “They now know where to concentrate their efforts,” says Taggart,” and what will yield the best results.
Additional reporting by Andy Greenberg.
