Critical update for older iPhones

It’s rare for Apple to deliver updates for devices that aren’t running the latest version of its iOS and iPadOS systems. So when this is the case, it is better to take it into account. And the iOS 12.5.4 version delivered last week definitely falls into the critical category. For iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation), this update resolves vulnerabilities in WebKit that have been exploited in the wild.

Security

Result : Processing a maliciously tampered certificate may lead to the execution of arbitrary code.

Description : A memory corruption issue in the ASN.1 decoder has been fixed by removing the vulnerable code.

The vulnerability referenced CVE-2021-30737 was reported by xerub.

WebKit

Result : Processing malicious web content may lead to arbitrary code execution. According to a report that Apple is aware of, it is possible that this vulnerability has been actively exploited.

Description : A memory corruption issue has been fixed with better state handling.

The vulnerability referenced CVE-2021-30761 was reported by an anonymous researcher.

WebKit

Result : Processing maliciously crafted web content may lead to arbitrary code execution. According to a report that Apple is aware of, it is possible that this vulnerability has been actively exploited.

Description : A use-after-free issue was addressed with better memory management.

The vulnerability referenced CVE-2021-30762 was reported by an anonymous researcher.

The CVE-2021-30737 vulnerability was fixed for iOS 14 users in the iOS 14.6 update released in May. On the other hand, the two other patches for the vulnerabilities affecting WebKit will probably be added to version 14.7 of iOS, currently in beta phase. Generally, Apple releases its software updates in similar time frames, which could indicate the imminent release of iOS 14.7. But for now, these two WebKit vulnerabilities are not patched and remain exploitable.