Apple has released a security update for older iDevices (iPhones, iPads and iPods) to fix three vulnerabilities, two of which are zero-days that are apparently actively exploited in attacks in the wild.
About the fixed flaws
The security update is iOS 12.5.4, which can still be run on older iDevices: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).
The two vulnerabilities Apple says “may have been actively exploited” are:
- CVE-2021-30761, a memory corruption issue, and
- CVE-2021-30762, a use after free bug
Both affect the WebKit browser engine (used by Safari and other iOS web browsers), both may be triggered by maliciously crafted web content and may result in remote code execution, and both have been reported by an anonymous researcher (though Apple does not say whether it’s the same individual).
The third vulnerability patched with this update is a memory corruption issue in the ASN.1 decoder that may also lead to arbitrary code execution if a maliciously crafted certificate is processed.
The last in a line of actively exploited WebKit vulnerabilities
As per usual, Apple “doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available,” and chose not share more details about these bugs.
iOS 12 is used by a minority of iDevice users – between 10 and 7%, depending on different sources – and they’ve been repeatedly asked to implement security updates in the last six months, to fix a slew of actively exploited WebKit flaws.
Users should implement the offered update as soon as possible.