Apple has released an update for older iPhones and iPads that includes a fix for a WebKit vulnerability that has been exploited in the wild.
That vulnerability (CVE-2022-32893) has been known publicly for two weeks, since Apple released updates for newer iPhones and iPads to address it. At the time, the company did not mention any plans to address the bug in older devices, but because attackers have actively exploited the flaw already, the move is unsurprising.
The bug lies in the WebKit browser engine that is part of iOS, iPadOS, and macOS, and is an out-of-bounds write issue that can allow an attacker to run arbitrary code on a victim’s device.
“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited,” the Apple advisory says.
“An out-of-bounds write issue was addressed with improved bounds checking.”
The update to iOS 12.5.6 should be a priority for any user with an older device, including iPhone5s, 6, 6 Plus, iPad Air, iPad Mini 2, iPad Mini 3, and sixth generation iPod Touch. The initial Apple update to fix this bug in newer devices came out on Aug. 17, so the details of the vulnerability have been public for two weeks, and unknown attackers were exploiting it even before the advisory was out.
Apple also fixed a second zero day exploited in the wild in that Aug. 17 update, but that flaw (CVE-2022-32894) does not affect the older versions of iOS running on the devices patched today.