If you’ve got an older iOS device like an iPhone 6 or iPad Air, you may want to fire it up and download Apple’s latest update, iOS 12.5.4.
Apple’s security bulletin says the update squashes two serious security flaws related to the Safari browser, or more specifically the page-rendering engine which runs it, called WebKit. Both flaws are considered “zero-day” flaws because they may already have been exploited in the wild, i.e. used by hackers to attack iPhone users.
The first zero-day flaw, listed as CVE-2021-30761, involves a memory-corruption issue in WebKit. The second, CVE-2021-30762, lets malicious code invade WebKit’s memory space after WebKit has freed up some memory — a “use after free” bug in information-security parlance.
Both flaws were discovered by “an anonymous researcher,” said Apple, and both could let “maliciously crafted web content” run code on an iOS device. In other words, the flaws might let a poisoned website install and run malware on an iPhone. The flaws appear to be unique to iOS 12.
A third flaw, CVE-2021-30737, which does not appear to have been used in active attacks, involves a memory-corruption issue in ASN.1, software used to encrypt and decrypt secure communications.
The same flaw, whose discovery was credited to “xerub,” was fixed on newer iPhones with iOS 14.6 in May. An attacker could use this flaw to make an iOS device load and run malware after reading a maliciously-crafted security certificate.
Old phones still matter
Apple is patching these flaws on all devices running iOS 12, which includes the iPhone 5s (released in 2013), iPhone 6 and 6 Plus (both released in 2014). These devices didn’t get an upgrade to iOS 13, so they’re still on a point release of iOS 12.
Apple does keep pushing security updates for old devices though, keeping them safe even if they’re denied more modern features. You’d be hard pressed to find an eight-year-old Android phone that still gets security updates.
Millions of people could nevertheless be affected by these flaws. Maybe they’re still using older iPhones, or have old devices knocking around that are used occasionally. That old iPad you use for YouTube, or those old iPhones you’ve given to your kids, could be vulnerable.
How to update to iOS 12.5.4
To update your iOS device, head to the Settings menu, look for “General” and tap “Software update,” which will find the new patch and download it for you. You might want to make sure you’ve made a full backup of your device first just in case.