Apple has released an update to iOS 12 for older iPads and iPhones that fixes two serious vulnerabilities that were exploited in the field. The zerodays were contained in Webkit and enabled remote code executions when visiting websites.
The bug fixes are in iOS 12.5.4, which is available for old Apple devices that can no longer run the current iOS 14. These are the iPhone 5s, iPhone 6 and 6Plus, the tablets iPad Air and iPad mini 2 and 3, and the iPod Touch 6 Gen. The update fixes three vulnerabilities. CVE-2021-30737 could do a memory corruption in the ASN.1 decoder, but that vulnerability was not actively exploited.
Two other vulnerabilities were actively exploited, Apple says. CVE-2021-30761 and CVE-2021-30762 are both vulnerabilities in WebKit, the browser engine for Safari. Details about the vulnerabilities are not known, but the vulnerabilities made it possible to trigger a memory corruption or a use-after-free respectively. For this, the user only had to visit a certain website.
Apple, as always, does not write anything about how the leaks were exploited. It is therefore not clear by whom this happened and on what scale, but it is clear that the victims had old devices. It is remarkable but not unique that Apple still updates older operating systems. iOS 12.5.3 was also released for older devices last month. It also exploited three vulnerabilities in WebKit, which could also be used on modern iPhones and were also actively exploited.