Apple patches are out – older iPhones are finally getting an old zero-day patch! – Bare Security

Last year, on the last day of August 2022, we wrote with mild astonishment, and perhaps even a small touch of excitement, about an unexpected but rather important update for stuck iPhones back on iOS 12.

As we noted at the time, we had already decided that iOS 12 had slipped (or perhaps been quietly pushed) off Apple’s radar, and would never be updated again, given that the previous update had been a a year before thatback in September 2021.

But we had to abandon that decision when iOS 12.5.6 unexpectedly appeared, fixing a mysterious zero-day bug that had been fixed. several weeks earlier in other Apple products.

Since the iOS 12 bug fixed at the time was in WebKit, Apple’s web rendering engine which is used in all web browsers on iDevices, not just Safari; since real-world attackers were already known to exploit the hole; since browser bugs almost always mean that just looking at a seemingly innocent and unimportant webpage could be enough to plant spyware on your phone in the background…

…we decided that iOS 12.5.6 was an important update to get:

It’s important to check for updates you thought you’d never see, especially if you have an old “backup” iPhone that you no longer use every day or have passed on to a less tech-savvy member. of your family.

Well, here’s deja vu again: Apple’s latest updates have just dropped, and as far as we can tell, there’s only a zero-day solution among the updates, and again it’s for iOS 12!

In fact, this day zero is the only bug fixed in the iOS 12.5.7 update, and it has the official bug number CVE-2022-42856.

It rings a bell

If the bug number CVE-2022-42856 Rings a bell, it’s probably because Apple patched it in two rounds of updates to all of its other products in December 2022.

First, there was a mysterious series of updates that turned out to be less of a series than a solitary effortfixing iOS 16.1 up to iOS 16.2.

No other device in the Apple stable has been updated, not even iOS 15, the previous version of iOS that some users stuck to by choice, and others because their old phones couldn’t be updated. upgraded to iOS 16.

Second, a few weeks later, came the updates who somehow felt like they had been delayed from the first “round”.

At this point, Apple has rather oddly (or maybe we mean confusingly?) admitted that the update already released for iOS 16 was, in fact, a fix against CVE-2022-42856, which still had been a zero day bug…

…but a zero day that only applied to iOS 15.1 and earlier.

In other words, the early availability of the iOS 16.1.2 update, while it did no harm, turned out to be a “fix” for the only version of iOS that doesn’t. didn’t need.

This first iOS 16 update would have much more usefully made its first appearance as an iOS 15 patch instead.

Now iOS 12 joins the club

As you already know, because we mentioned the bug number above, there is now a zero-day late fix, for this same bug, which applies to the oldest iOS version from Apple, namely iOS 12.

To obtain this update now, because the scammers have known about this one for at least two months.

(We assume the attackers developed a keen interest in refining their CVE-2022-42856 exploit for iOS 12 as soon as the more widely used iOS 15 received its updates in late 2022.)

Go to Settings > General > Software update to check if you already have the patch, or to force an update if you don’t:

Lots of other updates too

However the iOS 12 zero-day critical patch fixes one and only one bug listed, other Apple products receive a wide range of fixes, although we couldn’t find any listed as “already actively exploited”.

In other words, none of the many bugs fixed in products other than iOS 12 count as zero days, and so by fixing right away, you’re getting ahead of the scammers, not just catching up with them.

The updated version numbers you are looking for after the patches you installed are as follows, with their security bulletin pages for easy reference, and the hardware products to which they apply:

  • Bulletin HT213597: iOS 12.5.7. For iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3 and iPod touch (6th generation).
  • Bulletin HT213603: macOS Big Sur 11.7.3. Typically used on older Macs that don’t support the latest versions, like the original 12″ MacBook from 2015.
  • Bulletin HT213604: macOS Monterey 12.6.3.
  • Bulletin HT213605: macOS Ventura 13.2.
  • Bulletin HT213598: iOS 15.7.3 and iPadOS 15.7.3. iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation) and iPod touch (7th generation).
  • Bulletin HT213606: iOS 16.3 and iPadOS 16.3. iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
  • Bulletin HT213599: watchOS 9.3: Apple Watch Series 4 and later.

As usually happens with Mac updates, there is a new version of the WebKit rendering engine and Safari browser, dubbed Safari 16.3, presumably to match the larger product version number in the list above, namely iOS 16.3 and iPadOS 16.3.

If you have the latest version of macOS, namely macOS Ventura 13, this new version of Safari is coming with the macOS update, so that’s all you need to download and install.

But if you’re still using macOS 11 Big Sur or macOS 12 Monterey, Safari patches are available as a separate download, so there will be two updates waiting for you, not one. (This second update isn’t the one you forgot last time!)

What to do?

On macOS, use: apple menu > About This Mac > Software update…

As mentioned above, on iPhone and iPad, use: Settings > General > Software update.

Don’t delay, especially if you’re still using an iOS 12 device…

…please do it today!


Leave a Comment