If you've been using an iPhone, iPad, or Mac for several years, take note: Apple has patched older iPhones and macOS Catalina to fix three security vulnerabilities that were exploited by hackers.
Devices from iPhone 5s through iPhone 6 Plus, the first two iPad Air models, iPad Mini 3, and the 6th generation iPod Touch can now be upgraded to iOS 12.5.5.
There is also a security patch for macOS 10.15.7 Catalina (the ninth without a "point" upgrade) for iMacs, MacBooks, and Mac Minis released between 2012 and 2014 that cannot upgrade to macOS 11 Big Sur. users will benefit.
However, there is still no apparent fix for another flaw that affects all versions of macOS up to the latest version of Big Sur.
To update your iPhone, tap Settings > General > Software Update; to update your Mac, click the Apple icon in the upper left corner, click System Preferences or Software Update, and follow the prompts Follow the prompts.
This new iOS 12 update fixes two flaws cataloged as CVE-2021-30858 and CVE-2021-30860, which were first patched in the new iPhone with the release of iOS 14.8 last week and macOS upgraded to 11.6 Big Sur were patched for the first time.
The latter vulnerability has been used by clients of an Israeli spyware company called NSO to spy on dissidents, diplomats, and politicians, especially in the Middle East. The other flaw has also been exploited, but it has not been disclosed who was hacking whom or even who discovered the vulnerability.
iOS 12.5.5 also fixes CVE-2021-30869, a new flaw that allows "malicious applications" to execute their own code on devices, according to an Apple security bulletin. This is thanks to a "type confusion issue" in XNU, the kernel at the core of all current Apple operating systems, including iOS and macOS.
Credit for discovering this vulnerability goes to Erye Hernandez and Clément Lecigne of the Google Threat Analysis Group, plus Ian Beer of Google Project Zero.
As with the other two flaws, Apple has stated that it is "aware of reports of an exploit for this problem in the wild." It has said nothing more than that.
However, Shane Huntley of Google's threat analysis group said on Twitter that the flaw was used in conjunction with another flaw targeting the rendering engine that drives Apple's Safari browser. He added that more information would be released later next month.
The fix for CVE-2021-30869 is the entirety of a new patch for macOS Catalina. The fact that this flaw is not patched in macOS Big Sur or iOS 15 indicates that it is either not present in these newer operating systems or is impossible to exploit.
Apple continues to provide iOS 12 security updates for 2013 and 2014 iPhones and iPads (the same years as the older Macs that were patched) despite its general policy of not supporting mobile devices older than five years.
Comments