Apple has just released iOS 12.5.5, a security-only update for iOS 12.
Some in the security industry had wondered whether iOS 12 would continue to get occasional security updates. At the announcement of iOS 15, Apple stated that iOS 14 would continue to get security updates. However, Apple had not made any public statements about iOS 12.
The aging iOS 12 is the final version to support several hardware models, namely:
While most of these models were discontinued in 2016 or earlier, there are two notable exceptions.
After briefly discontinuing iPhone 6, Apple restarted sales of the 32 GB model in some markets from February 2017 through September 2018. That means that some customers bought a new iPhone 6 as little as three years ago—and just one year before iOS 13 dropped support for it.
But the most recently discontinued product on this list is the 6th-gen iPod touch. Apple stopped selling it in May 2019—just four months before iOS 13 was released. This may be the shortest period of time in history between Apple’s discontinuance of hardware and discontinuance of major new OS updates compatible with it.
Perhaps the two devices are a major driving factor behind Apple’s continuance of critical security updates for iOS 12. Many people are still using iPhone 6 today. DeviceAtlas reported in December that iPhone 6 still comprised nearly 6% of the iPhone installed base, with the iPhone 6 Plus and iPhone 5S around 1.5% each.
Evidently, Apple only fixed three security issues in iOS 12.5.5. This is a far cry from the more than 13 issues addressed in iOS 14.8, and the more than 22 issues addressed in iOS 15.0.
That’s because only issues for which “Apple is aware of a report that this issue may have been actively exploited” were addressed. In other words, only vulnerabilities that have been confirmed to be exploited in the wild were fixed. All other security vulnerabilities that might apply to iOS 12 were not resolved.
The three specific issues that Apple addressed in iOS 12.5.5 are as follows:
CoreGraphics
Impact: Processing a maliciously crafted PDF may lead to arbitrary code execution.
Description: An integer overflow was addressed with improved input validation.
CVE-2021-30860: The Citizen Lab
[This vulnerability has been leveraged by the Pegasus spyware.]
WebKit
Impact: Processing maliciously crafted web content may lead to arbitrary code execution.
Description: A use after free issue was addressed with improved memory management.
CVE-2021-30858: an anonymous researcher
XNU
Impact: A malicious application may be able to execute arbitrary code with kernel privileges.
Description: A type confusion issue was addressed with improved state handling.
CVE-2021-30869: Erye Hernandez of Google Threat Analysis Group, Clément Lecigne of Google Threat Analysis Group, and Ian Beer of Google Project Zero
On the same day as iOS 12.5.5’s release, Apple also issued a security update for macOS Catalina. As of today, Apple indicates that the update addresses a single issue: the XNU vulnerability mentioned above.
Apple frequently revises security update listings weeks or months after initially posting them, so Apple may have quietly fixed other issues as well.
You can also subscribe to our e-mail newsletter and keep an eye here on Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Facebook, Instagram, Twitter, and YouTube.
