The latest version of iOS came and went on Tuesday without much fanfare, but it turns out that the nondescript update is far more significant than it initially appeared to be. Apple listed all of the security and privacy issues it addressed in the update on a new support page, but the fix at the bottom of the list might be the most notable of the bunch.
After all, Apple has known about this specific security flaw for nearly three years.
Shortly after the update went live, Yair Amit and Adi Sharabani of security company Skycure published a blog post noting that a security flaw they had reported on June 3rd, 2013 had finally been fixed in iOS 9.2.1.
According to Amit and Sharabani, the vulnerability allowed hackers to steal a user’s sensitive information by creating a public Wi-Fi network, having a victim join the network (either by choice or automatically) and redirecting the device to an HTTP website.
From there, they would be able to open the embedded browser screen (also known as a captive portal) you typically see when joining a Wi-Fi network at the airport or at a hotel, load content into a user’s phone and execute it without them knowing.
Skycure says that this is the longest it has ever taken for Apple to fix an issue they have reported to the company, but that the fix was much more complicated than it would be for a typical bug. Thankfully, the issue has been resolved — iOS now has an isolated cookie store for captive portals, which should keep hackers at bay.
You can download iOS 9.2.1 as an over-the-air update from the Settings menu on your iOS device right now.