Apple released iOS 16.5 last week with security fixes that resolve vulnerabilities in the operating system we use daily on our iPhones. But it looks like one of those security fixes is a follow-up to a previously addressed vulnerability back in 2022.
The ColdInvite vulnerability, CVE-2023-27930, according to a report by Jamf “can be exploited to leverage the co-processor in order to obtain read/write privileges to the kernel”
That means that someone malicious enough could've gained control of your iOS device using ColdInvite. Luckily, iOS 16.5 resolves the issues and protects your iPhone.
Where things get interesting, however, is when you look at older vulnerability fixes dating back to last year in iOS 15.6.1. ColdInvite was discovered because of a vulnerability Apple fixed last year called ColdIntro (CVE-2022-32894). ColdIntro was patched as part of the iOS 15.6.1 update, and analysis from Jamf states that the 15.6.1 update “mitigates a specific way for an attacker to escape a co-processor but does not fix the root cause of the underlying vulnerability.”
In Layman's terms, iOS 15.6.1 fixed the ColdIntro security risk but not why the risk existed, to begin with. That means that Apple has taken nearly a year to find the root cause of the issue and, finally, has helped the iPhone get rid of its cold.
Apple saves the day
Security vulnerabilities are nothing new, but they can be worrying when you look into the nitty gritty details. Luckily, Apple puts security and privacy at the forefront of its ethos, leading to long-term development, like the one here, to solve potential security risks.
With WWDC on June 5 just around the corner. We'll be watching with eager eyes to see what security enhancements iOS 17 brings to the table. It looks like we could see iMessage Contact Key Verification, either in iOS 16.6 or when WWDC comes around.
