Apple fixes zero-day security flaws on older iPhones — update now
Users of older iOS devices can already access this update
If you’ve got an older iOS device like an iPhone 6 or iPad Air, you may want to fire it up and download Apple’s latest update, iOS 12.5.4.
Apple's security bulletin says the update squashes two serious security flaws related to the Safari browser, or more specifically the page-rendering engine which runs it, called WebKit. Both flaws are considered "zero-day" flaws because they may already have been exploited in the wild, i.e. used by hackers to attack iPhone users.
- Spoilt for choice, here's the best iPhones to buy
- Need more screen, the best tablets for 2021 will guide you
- Plus: Apple Car news — Apple reportedly in talks with battery suppliers
The first zero-day flaw, listed as CVE-2021-30761, involves a memory-corruption issue in WebKit. The second, CVE-2021-30762, lets malicious code invade WebKit's memory space after WebKit has freed up some memory — a "use after free" bug in information-security parlance.
Both flaws were discovered by "an anonymous researcher," said Apple, and both could let "maliciously crafted web content" run code on an iOS device. In other words, the flaws might let a poisoned website install and run malware on an iPhone. The flaws appear to be unique to iOS 12.
A third flaw, CVE-2021-30737, which does not appear to have been used in active attacks, involves a memory-corruption issue in ASN.1, software used to encrypt and decrypt secure communications.
The same flaw, whose discovery was credited to "xerub," was fixed on newer iPhones with iOS 14.6 in May. An attacker could use this flaw to make an iOS device load and run malware after reading a maliciously-crafted security certificate.
Old phones still matter
Apple is patching these flaws on all devices running iOS 12, which includes the iPhone 5s (released in 2013), iPhone 6 and 6 Plus (both released in 2014). These devices didn’t get an upgrade to iOS 13, so they’re still on a point release of iOS 12.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Here at Tom’s Guide our expert editors are committed to bringing you the best news, reviews and guides to help you stay informed and ahead of the curve!
Apple does keep pushing security updates for old devices though, keeping them safe even if they’re denied more modern features. You'd be hard pressed to find an eight-year-old Android phone that still gets security updates.
Millions of people could nevertheless be affected by these flaws. Maybe they're still using older iPhones, or have old devices knocking around that are used occasionally. That old iPad you use for YouTube, or those old iPhones you’ve given to your kids, could be vulnerable.
How to update to iOS 12.5.4
To update your iOS device, head to the Settings menu, look for “General” and tap “Software update,” which will find the new patch and download it for you. You might want to make sure you’ve made a full backup of your device first just in case.
Ian has been involved in technology journalism since 2007, originally writing about AV hardware back when LCDs and plasma TVs were just gaining popularity. Nearly 15 years on, he remains as excited as ever about how tech can make your life better. Ian is the editor of T3.com but has also regularly contributed to Tom's Guide.