Apple this week released urgent security updates to address zero-day vulnerabilities on older model iPhones, iPads, and iPods.
The patches, pushed out on Wednesday, address an out-of-bounds write issue that could be exploited by an attacker enabling them to take control of the affected device. The US Cybersecurity and Infrastructure Agency (CISA) today encouraged users and IT admins to review Apple’s advisory HT213428 and apply the necessary updates.
Apple did not immediately respond to a request for comment on whether the vulnerabilities had come to its attention through active exploits, but its security update did say, “Apple is aware of a report that this issue may have been actively exploited.”
The software flaws are listed in the Common Vulnerabilities and Exposures (CVE) database, a system funded by a division of the US Department of Homeland Security (DHS) to a ensure public disclosure of security vulnerabilities and exposures.
“The issue is that if a web page is constructed in a certain way, it can cause code to execute on the device outside of the normal containment and effectively create a malware situation on the device that could compromise data, contacts, location, insert malicious SW, etc.,” said Jack Gold, principal analyst at J. Gold Associates, LLC.
“So it’s a big deal,” he added.
The vulnerabilities affect the iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation) and computers running older macOS versions.
The fact that the issue affects that older group of devices — and not newer models — means that there are relatively few devices at risk, Gold noted. Even so, he said, anyone with one of the older devices should update as soon as possible.
While a patch offered for older devices may seem unimportant, cybercriminals are particularly fond of older unpatched technology, especially if the vulnerability gives them complete control and the ability to gain access to other systems and services.
“An attacker could lure a potential victim to a specially crafted website or use malvertising to compromise a vulnerable system by exploiting this vulnerability,” Malwarebytes said in a blog post today. “Since the vulnerability exists in Apple’s HTML rendering software (WebKit). WebKit powers all iOS web browsers and Safari, so possible targets are iPhones, iPads, and Macs which could all be tricked into running unauthorized code.”
The issue is fixed in iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1. Apple is encouraging users to upgrade to the latest versions of its software.