This was tracked as CVE-2022-3289 and is an out-of-bounds write vulnerability in WebKit. Apple has patched the same in all of its latest iPhones, iPads, and Macs in last month’s update. And now it’s backporting the patch to make it suitable for older devices.
Patching Security Bug in Older iPhones
Last month, Apple released a security update to patch two critical security vulnerabilities in its devices – that’d let attackers hack iPhones, iPads, and Macs remotely through a malicious code. All they have to do to redirect the target user to visit a malicious website and leverage the bug in Apple’s WebKit for exploitation. At that time, Apple said it knew there were active explorations of this bug happening in the wild. But didn’t reveal anything about it, just to give enough time for the community to patch against it before attackers exploit them. Now, it backported that security patch to make it suitable for the older devices – iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation), all of them running iOS 12.5.6. In a security advisory published today, Apple reiterated that it’s aware of the vulnerability being exploited, thus urging users to apply the update as soon as possible. Though it’s mostly concerned with targeted attacks, it’s advisable to update to block potential attacks. Last month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added this bug to its catalog of exploited vulnerabilities, forcing the Federal Civilian Executive Branch (FCEB) agencies to patch it to protect against active threats.