If you’ve already listened to this week’s Naked Security Podcast you’ll know that we had finally concluded that iOS 12, the version before the version before the latest-and-greatest iOS 15, which arrived this Monday…
…had been dumped forever by Apple.
Apple notoriously won’t tell you anything about the security situation in its products unless and until it has a patch out.
So when iOS 14 got updated in the last couple of patch cycles, but iOS 12 didn’t, we couldn’t tell whether it was still safe and didn’t need the patches, whether it needed the patches but they’d be a bit late, or whether it needed the patches but would never get them.
And with iOS 15 arriving as the new kid on the block this week, we assumed the worst, following the “one-in-one-out” principle.
We haven’t finished because we haven’t even started
We speculated in the podcast that iOS 12 didn’t get any patches not because Apple hadn’t finished creating them yet, but because Apple hadn’t even started on the updates, and never would.
We guessed that iOS 12, along with the older devices that it runs on, had run out of support, and thus that Apple wouldn’t be updating iOS 12 again. (The words we used were, “If only Apple would say, ‘iPhone 6 and earlier; iOS 12: curtains closed, we won’t be supporting you any more.’”)
Well, we were wrong.
We just received Apple’s latest email security notification – ironically, delivered directly to our iPhone 6 running iOS 12.5.4 – to tell us about the latest security update, iOS 12.5.5.
So there’s life in the old phone yet, and more importantly, two critical zero-day bugs that were fixed in iOS 14 last week have now been patched in iOS 12 as well.
Turns out that iOS 12 wasn’t dead after all, merely resting.
Better late than never
The first of the bugs is the infamous CVE-2021-30860 flaw, also dramatically dubbed FORCEDENTRY by Citizen Lab, the organisation that originally disclosed it to Apple so it could be patched.
According to Citizen Lab, the malware by means of which CVE-2021-30860 was investigated came from from an activist’s iPhone, where it had allegedly been implanted via an exploit embedded in a booby trapped iMessage communication.
The second iOS 12 bug that had already been patched in iOS 14 was CVE-2021-30858, a mysterious WebKit zero-day vulnerability.
This bug was also seen in the wild, and is presumably just as dangerous as the Citizen Labs one, although it lacked any dramatic backstory, and didn’t have a research company behind it to talk it up to the media – it was credited simply to “an anonymous researcher.”
An injury to one is an injury to all
Those bugs, as we can now see, were apparently not introduced via new features in the iOS 14 code, but were inherited by iOS 14 from iOS 13 (now officially superseded by iOS 14, and therefore not supported as a version on its own any more), which got them in turn from iOS 12.
Just as importantly, the iOS 12.5.5 update also fixes a THIRD zero day hole, this time in XNU, the open source heart of Apple’s operating system kernel.
We don’t have any details about that bug, dubbed CVE-2021-30869, other than that it was patched and that Apple has said “an exploit for this issue exists in the wild.”
By the way, the CVE-2021-30869 bug exists in Catalina, the previous but still-supported version of the macOS operating system, which therefore gets an update, too.
What to do?
- Get iOS 12.5.5 for older iPhones and iPads. Until iOS 13 came out and split into two separate strains called iOS and iPadOS, the same update was used for Apple’s phones and tablets.
- Get Security Update 2021-006 for Macs running macOS Catalina. This sort of update doesn’t bump up the Catalina version number, which remains at 10.15.7.
Use Settings > General > Software Update on your Apple phones and tablets,
and use Apple menu > System Preferences > Software Update on laptop and desktop Macs.