According to iOS 10.2.1’s security content page, most of the fixes are for WebKit, the software behind Safari, the App Store, and other iOS apps. WebKit’s vulnerabilities included a malicious website able to open pop-ups and some with arbitrary code executions, with nine of the 11 reported by Google’s Project Zero that looks for zero-day vulnerabilities. Other issues included arbitrary code executions with kernel privileges, which give someone the ability to control your device.
“It can add files, delete files, or execute any actions,” Malwarebytes senior security researcher JP Taggart told Wired. “Want to record conversations and forward them to someone else? It can do that. Want to install additional malicious software? It can do that. Want to uninstall programs on the affected phone? It can do that. Want to hide these actions, programs and files from the user? It can do that too.”
Bugs that were patched with the update include an Auto Unlock bug that might unlock your iPhone when the Apple Watch is off your wrist, a Contacts bug that might lead the app to close with a malicious contact card, and a Wi-Fi vulnerability that can be exploited to briefly display the home screen on an activation-locked device.
There does not seem to be any immediate danger to someone having exploited these vulnerabilities, but the likelihood increases with each passing day. As luck would have it, iOS 10.2.1 is currently available for download for the iPhone 5 and later, iPad fourth generation and later, and iPod Touch sixth generation.
