Apple has released an update to iOS 12 that fixes three vulnerabilities. The zerodays may have been actively abused. With the update, Apple smartphones from 2013 will also receive the security update.
The iOS 12.5.5 update fixes vulnerabilities in CoreGraphics, WebKit, and XNU. The two vulnerabilities in CoreGraphics and Webkit both allowed arbitrary code to be executed. With CoreGraphics it was about custom PDF files, with WebKit multiple types of files could cause the problems.
The CoreGraphics vulnerability, CVE-2021-30860, was discovered by The Citizen Lab and has been addressed by improving input validation to prevent integer overflow. WebKit vulnerability CVE-2021-30858 was found by an anonymous researcher. Apple improved memory management to prevent a use after free problem.
The XNU vulnerability made it possible to execute arbitrary code with kernel privileges. To avoid this, Apple has improved state handling to avoid a type confusion issue. This vulnerability has a CVE number of CVE-2021-30869, although this number has been revoked by the CVE program. This vulnerability was found by Google researchers, according to Apple.
With the iOS 12 update, older smartphones and tablets, such as the iPhone 5s from 2013 and the first iPad Air and iPad mini 2 from the same year, will still receive the security update. These vulnerabilities have also been fixed in iOS 14 updates. Apple often releases security updates for iOS 12; 12.5.4 appeared in June.
Apple iPhone 5s