Apple emits emergency patch for older iPhones after snoops pounce on WebKit hole
Also: Yay for Data Privacy Day!
Apple has issued an emergency patch for older kit to fix a WebKit security flaw that Cupertino warns is under active attack.
On Monday, Apple released iOS 12.5.7 for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and sixth-generation iPod touch. It also updated iOS and iPadOS 15 and 16, but it appears that, at least as of now, attackers are only going after devices running the very-old iOS 12.
If you have one of these older devices, we'd suggest updating to the new iOS immediately as the vulnerability that it fixes, tracked as CVE-2022-42856, sounds like a nasty one. Websites, for one, can exploit this flaw to hijack vulnerable phones that surf by.
"Processing maliciously crafted web content may lead to arbitrary code execution," Apple warned in the security update. "Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1."
Apple didn't provide any other details about who is responsible for the in-the-wild exploits. The bug was, however, discovered by Google Threat Analysis Group's Clément Lecigne, and that's significant because TAG tracks nation-state attackers and commercial spyware, so it's unlikely that the CVE-2022-42856 exploits will be attributed to a bunch of script kiddies.
Also, if CVE-2022-42856 sounds familiar, it should. Apple patched the vulnerability in iOS 16 in December and iOS 15 in November. But not everyone updates or can update.
While the iPhone bug is the most urgent, Apple also released software updates to fix flaws in its other products this week. This includes Apple TVs, its Safari web browser, macOS Big Sur, Monterey and even Ventura (is anyone still running this OS?), and Apple Watches series 4 and later.
None of the vulnerabilities listed in these other security updates are under active exploit — that we know of at least.
On Tuesday, the US Cybersecurity and Infrastructure Security Agency weighed in on the Apple bugs, too, and urged users and administrators to "apply the necessary updates as soon as possible."
Mark your calendar: it's Data Privacy Day
In addition to fixing a bunch of bugs, Apple also rolled out educational resources and a short film to promote awareness about how users can better protect their private data using Apple's built-in security controls, so long as you're not in China.
The new videos will go live on January 28, in honor of Data Privacy Day, which falls six days after another US privacy milestone — Roe v. Wade — would have celebrated 50 years of constitutional protection if the Supreme Court hadn't overturned the guaranteed right to abortion last year.
- Punch-drunk Apple Watch called 15 cops to a boxing workout when it heard 'shots'
- Apple patches actively exploited iPhone, iPad kernel vulns
- Microsoft fixes Windows database connections it broke in November
- Russians say they can grab software from Intel again
But back to Apple: on Saturday the tech giant will debut a video, titled "Taking Charge of Your Privacy on iPhone," that explains how to customize features including Mail Privacy Protection, Safety Check, Location Services, and passkeys.
And here's how Apple describes the short:
The whimsical short film "A Day in the Life of an Average Person's Data" invites users to follow Apple TV+ Ted Lasso star Nick Mohammed through his average day, explaining how bad actors misuse data — and how Apple works to keep his personal information safe.
So after you've spent the work-week updating all of your devices' operating systems, take a break and (hopefully) score a few laughs. If you're in America that is. ®