Apple releases critical software update for older iPhones but not iOS 14 devices

Apple doesn’t often update devices that aren’t on the latest version of iOS and iPadOS, so when they do you should take notice. And this week’s release of iOS 12.5.4 definitely falls into the “critical” category.

iOS 12.5.4 is for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation). It patches WebKit vulnerabilities which have been exploited in the wild.

Security

Impact: Processing a maliciously crafted certificate may lead to arbitrary code execution

Description: A memory corruption issue in the ASN.1 decoder was addressed by removing the vulnerable code.

CVE-2021-30737: xerub

WebKit

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A memory corruption issue was addressed with improved state management.

CVE-2021-30761: an anonymous researcher

WebKit

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A use after free issue was addressed with improved memory management. 

CVE-2021-30762: an anonymous researcher

The CVE-2021-30737 vulnerability was fixed for iOS 14 users in the iOS 14.6 update that released in May. The two other WebKit fixes will likely be patched in iOS 14.7, which is currently in beta testing. Apple usually pushed out software updates within similar time frames, so it could signal iOS 14.7’s imminent release, but as such, two WebKit vulnerabilities remain unpatched and exploitable.