Don’t be surprised if you see your old iPhone or iPad model getting an update this week. Apple this week extended a recent patch, released only to models that are still supported, to address a critical vulnerability that allowed remote code execution to break into corporate devices and networks to which they are linked.

Seven models are part of the list of those receiving the update this week, all considered classics by Apple. This nomenclature is used to categorize those whose distribution ended five to seven years ago, with the most recent iOS version released to them being 12.5.5, September 2021. The following devices now receive the new patch:

iPhone 5s;

iPhone 6 and iPhone 6 Plus;

iPad Air;

iPad mini 2 and iPad mini 3;

iPod touch (6th generation).

The loophole is in the Webkit component, used by Apple to display web pages inside apps and other solutions, and is tracked as CVE-2022-32893. From the zero-day vulnerability, which was unknown until it was reported by specialists to the manufacturer, it was enough to access maliciously modified pages for data to be written outside the limits of memory, enabling the aforementioned remote attacks.

By publishing an official note about the update, Apple once again reinforced the urgency of installing the patch, as the vulnerability has been actively exploited by criminals. More technical information about the breach is not available, so as not to increase the volume of attacks, while the recommendation, now to an even larger group of users, is to update as soon as possible.

The danger is great enough to prompt the inclusion of the breach in a US government list of vulnerabilities that are being actively exploited. According to the Cybersecurity and Infrastructure Agency (CISA), the opening can be used by criminals in scams against essential service companies, with all branches of public administration having to apply corrections urgently.

The zero-day aperture has also been fixed on macOS Monterey and on iPhone and iPad models that are still supported by Apple. In addition, the Safari browser was also fixed; in all cases, a second loophole, which allowed attackers to access the operating system kernel from remote code execution, was also closed.

Source: Apple