Apple patches are out – old iPhones get an old zero-day fix at last!

Credit to Author: Paul Ducklin| Date: Tue, 24 Jan 2023 01:24:50 +0000

Last year, on the last day of August 2022, we wrote with mild astonishment, and perhaps even a tiny touch of excitement, about an unexpected but rather important update for iPhones stuck back on iOS 12.

As we remarked at the time, we’d already decided that iOS 12 had slipped (or perhaps been quietly pushed) off Apple’s radar, and would never be updated again, give that the previous update had been a year before that, back in September 2021.

But we had to scrap that decision when iOS 12.5.6 appeared unexpectedly, fixing a mysterious zero-day bug that had been patched several weeks earlier in Apple’s other products.

Given that the iOS 12 bug fixed back then was in WebKit, Apple’s web rendering engine that’s used in all web browsers on iDevices, not just in Safari; given that real-world attackers were already known to be exploiting the hole; given that browser bugs almost always mean that merely looking at an apparently innocent and unimportant-looking web page could be enough to implant spyware on your phone in the background…

…we decided that iOS 12.5.6 was an important update to get:

Updates you thought you’d never see are important to check up on, espeically if you own an older “backup” iPhone that you don’t use every day any more, or that you’ve passed on to a less tech-savvy member of your family.

Well, here’s some déjà vu all over again: Apple’s latest updates just dropped, and as far as we can tell, there’s only one zero-day fix amongst the updates, and once again it’s for iOS 12.

Just as importantly, this patch also fixes a hole in WebKit that sounds as though it’s already being abused by attackers for implanting malware.

As it happens, this is the only bug fixed in the iOS 12.5.7 update, and it’s got the official bug number CVE-2022-42856

That rings a bell

If the bug number CVE-2022-42856 rings a bell, that’s probably because Apple fixed it in two rounds of updates to all its other products in December 2022.

Firstly, there was a mysterious round of updates that turned out to be not so much a round as a solo effort, patching iOS 16.1 up to iOS 16.2.

No other devices in the Apple stable got updated, not even iOS 15, the previous version of iOS that some users stuck to by choice, and others because their older phones couldn’t be upgraded to iOS 16.

Secondly, a few weeks later, came the updates that somehow felt as though they’d been delayed from the first “round”.

At this point, Apple rather curiously (or perhaps we mean confusingly?) admitted that the update already published for iOS 16 was, in fact, a patch against CVE-2022-42856, which had been a zero-day bug all along…

…but a zero-day that applied only to iOS 15.1 and earlier.

In other words, the early availability of the iOS 16.1.2 update, though it did no harm, turned out to have been a “fix” for the one version of iOS that didn’t need it.

That early iOS 16 update would much more usefully have made its first appearance as an iOS 15 patch instead.

Now iOS 12 joins the club

As you already know, because we mentioned the bug number above, there’s now a belated zero-day patch, for that very same bug, that applies to Apple’s oldest extant iOS flavour, namely iOS 12.

Get this update now, because the crooks have known about this one for close to two months at least.

(We’re guessing that the attackers developed a keen interest in fine-tuning their CVE-2022-42856 exploit for iOS 12 as soon as the more widely-used iOS 15 got its updates at the end of 2022.)

Go to Settings > General > Software Update to check if you have the patch already, or to force an update if you don’t:

Lots of other updates, too

For all that the critical iOS 12 zero-day patch fixes one and only one listed bug, Apple’s other products get a wide range of patches, though we didn’t find any that are listed as “already actively exploited”.

In other words, none of the many bugs fixed in any products other than iOS 12 count as zero-days, and therefore by patching right away you are getting ahead of the crooks, not merely catching up with them.

The updated version numbers you’re looking for after you’ve installed the patches are as follows, with their security bulletin pages for easy reference, and the hardware products they apply to:

  • Bulletin HT213597: iOS 12.5.7. For iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).
  • Bulletin HT213603: macOS Big Sur 11.7.3. Typically used on older Macs that don’t support the latest versions, such as the original 12″ MacBook from 2015.
  • Bulletin HT213604: macOS Monterey 12.6.3.
  • Bulletin HT213605: macOS Ventura 13.2.
  • Bulletin HT213598: iOS 15.7.3 and iPadOS 15.7.3. iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation).
  • Bulletin HT213606: iOS 16.3 and iPadOS 16.3. iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
  • Bulletin HT213599: watchOS 9.3: Apple Watch Series 4 and later.

As usually happens with Mac updates, there’s a new version of the WebKit rendering engine and the Safari browser, dubbed Safari 16.3, presumably to match the biggest product version number on the list above, namely iOS 16.3 and iPadOS 16.3

If you have the latest version of macOS, namely macOS Ventura 13, this new Safari version arrives along with the macOS update, so that’s all you need to download and install.

But if you’re still on macOS 11 Big Sur or macOS 12 Monterey, the Safari patches come as a separate download, so there will be two updates waiting for you, not one. (That second update isn’t one you forgot from last time!)

What to do?

On macOS, use: Apple menu > About this Mac > Software Update…

As mentioned above, on iPhones and iPads, use: Settings > General > Software Update.

Don’t delay, especially if you’re still running an iOS 12 device…

…please do it today!


http://feeds.feedburner.com/NakedSecurity

Leave a Reply