The Mac Security Blog

Apple

Apple Releases iOS 12.5.6 for Old iPhone, iPad, iPod touch Models to Fix Actively Exploited Vulnerability

Posted on by

On Wednesday, August 31, Apple released a surprise security update for iOS 12 to fix an “actively exploited” (i.e. in-the-wild, zero-day) vulnerability. Apple previously patched the same vulnerability for iOS 15 on August 17.

Let’s take a look at what this update has to offer, as well as what Apple did right and what the company could have done better. We’ll also examine whether to expect further iOS 12 security updates in the future.

In this article:

iOS 12.5.6 patches one critical vulnerability

Apple only indicates that a single security-related vulnerability is included in this update. Nevertheless, it’s quite serious and requires urgent patching:

WebKit
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.*
Description: An out-of-bounds write issue was addressed with improved bounds checking.
WebKit Bugzilla: 243557
CVE-2022-32893: an anonymous researcher

 

*emphasis added

Those are all the details that Apple has published regarding the security content of iOS 12.5.6.

The iOS 12.5.6 update is available for the following hardware: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).

All models older than those listed are highly vulnerable to significant security and privacy threats, and should not be used for Web browsing, e-mail, or other online uses.

All models newer than those listed are capable of running iOS 15 or iPadOS 15, and should be updated accordingly. Notably, however, some iPhone models that run iOS 15 will not be able to run iOS 16. The same is true for iPads in relation to iPadOS 15 and iPadOS 16. Meanwhile, Apple has chosen to exclude all iPod touch models from being able to run iOS 16, including the 7th-generation (and final) model that was recently discontinued in May.

Apple’s Planned Obsolescence: iOS 16, macOS Ventura Drop Support for Many Models

Unfortunately, it may potentially take as long as 1–4 weeks for any new iOS or iPadOS version to roll out to customers (as discussed on episode 233 of the Intego Mac Podcast). Users who find out about updates sooner through third-party Apple or security news sources, like Intego’s The Mac Security Blog, can manually check for new updates when they’re released.

To install the latest iOS or iPadOS updates, check the Settings app on your device: Settings > General > Software Update. The process is the same regardless of whether you use an iPhone, iPad, or iPod touch.

What did Apple do right?

One very welcome change in Apple’s iOS 12.5.6 release notes was a short sentence explaining, “iOS 12 is not impacted by CVE-2022-32894.” This CVE number is associated with a second vulnerability that was patched two weeks ago in iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1.

Apple very rarely makes public statements about why particular vulnerabilities are not patched for older operating system versions. It was great to see Apple being more transparent about this with iOS 12.5.6. We hope that this is a sign of things to come.

The final iOS 12 security update?

It was also nice to see Apple still releasing at least some minimal security updates for known-exploited vulnerabilities on iOS 12. However, only time will tell what will happen after the release of iOS 16 and iPadOS 16.

With iOS 15 and iPadOS 15 becoming “the new iOS 12” in terms of being the final supported operating system for a number of hardware models, it’s possible that Apple might drop all security updates for iOS 12 going forward, and instead only issue minimal updates for iOS 15 and iPadOS 15.

For reference, the following hardware is forever limited to iOS 12:

  • iPhone 5s, iPhone 6, iPhone 6 Plus
  • iPad Air, iPad mini 2, iPad mini 3
  • iPod touch (6th generation)

The following hardware is forever limited to iOS 15 or iPadOS 15:

  • iPhone 6s, iPhone 6s Plus, iPhone SE (1st gen), iPhone 7, iPhone 7 Plus
  • iPad Air 2, iPad mini 4
  • iPod touch (7th generation)

Apple has not yet made public statements about whether any past versions of iOS or iPadOS will continue to get security updates after the releases of iOS 16 and iPadOS 16. We’ve inquired of Apple, and we will update this article if a company representative responds.

What could Apple have done better?

There was a two-week delay between the releases of iOS 15.6.1 and iOS 12.5.6; the former fixed the same security vulnerability that applied to the latter. Two weeks is a long time to have to wait to get patches for a vulnerability that is already known to be actively exploited in the wild. On the bright side, two weeks is better than the six and a half weeks that Apple took to patch actively exploited vulnerabilities in macOS Big Sur and macOS Catalina following a macOS Monterey update earlier this year.

Perhaps the worse problem is that iOS 14 and iPadOS 14 updates are nowhere to be found. Apple promised at WWDC 2021, and continues to claim in multiple places on its site, that users can “continue to use iOS or iPadOS 14 while still getting important security updates for a period of time.” Evidently, that “period of time” was only 36 days after the release of iOS 15; Apple has not released any iOS 14 or iPadOS 14 updates since 14.8.1 way back in October 2021.

We’ve asked Apple whether it plans to release any further updates for iOS 14 and iPadOS 14. If an Apple representative responds, we will update this article with the company’s statement.

Additionally, while it’s nice that Apple specifically stated that CVE-2022-32894 was not applicable to iOS 12, Apple never made any statement about whether macOS Big Sur or macOS Catalina (or even watchOS or tvOS) were affected by the same actively exploited kernel vulnerability. Apple only patched that particular vulnerability for macOS Monterey, iOS 15, and iPadOS 15, but not for the company’s other supported operating systems. Apple still has not replied to our inquiries as to whether those operating systems are vulnerable.

Key takeaways

At this point, iOS 12 isn’t very safe to use anymore, given that it has only been receiving cherry-picked security updates, specifically for vulnerabilities known to have been actively exploited. It’s possible that this may have been the final security update for iOS 12; only time will tell. Whenever possible, it’s safest to always stay on the current version of any Apple operating system.

Given iOS 16 and iPadOS 16’s impending releases, it’s important to ensure that your iPhone or iPad are compatible with the new operating systems. If not, it would be wise to upgrade soon. Apple is expected to announce new iPhone models next Wednesday, September 7, at its “Far out” media event. We previewed the event on episodes 254 and 255 of the Intego Mac Podcast, and we’ll cover the event next week on episode 256; follow the podcast to make sure you don’t miss it.

Whenever an Apple update addresses an “actively exploited” security issue, it is important to install the update as soon as you can. Thus, you should definitely prioritize installing this week’s iOS update if you still have an older device running iOS 12.

Whenever you’re preparing to update iOS, iPadOS, or macOS, always back up your data before installing any updates. This gives you a restore point if something does not go as planned.

See also our related article on the best approach for backing up your iPhone or iPad:

Should You Back Up Your iOS Device to iCloud or Your Mac?

How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices.

Next week, Kirk and Josh will discuss more about the latest Apple updates on episode 256. Be sure to follow the podcast to make sure you don’t miss any episodes!

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which is often featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →