These iPhones and iPads just got an emergency security patch — update now
Apple devices from 2013 and 2014 get defenses against active hacker attacks
If you've been hanging on to your iPhone, iPad, or Mac for a few years, take heed: Apple has patched older iPhones, as well as macOS Catalina, to fix three security vulnerabilities that have been exploited by hackers "in the wild."
Handsets ranging from the iPhone 5s through the iPhone 6 Plus, as well as the first two iPad Air models, the iPad Mini 3 and the sixth-generation iPod Touch can now upgrade to iOS 12.5.5.
- Every Mac can be hacked by this new flaw, and there's no fix yet
- The best Mac antivirus programs
- Plus: Millions of iPhones, TVs, other devices could go offline next week
There's also a security patch (the ninth without a "point" upgrade) for macOS 10.15.7 Catalina, benefiting users of iMacs, MacBooks and Mac Minis released from 2012 to 2014 that can't upgrade to macOS 11 Big Sur.
However, there's still no apparent fix for another flaw affecting all versions of macOS up through the most recent version of Big Sur.
To update your iPhone, tap through Settings > General > Software Update. To update your Mac, click the Apple icon in the top left corner, then System Prefrences or Software Update and follow the prompts.
Catching up with newer devices
This new iOS 12 update fixes two flaws, catalogued as CVE-2021-30858 and CVE-2021-30860, that were first patched last week in newer iPhones with the release of iOS 14.8 and in macOS Big Sur with an upgrade to 11.6.
The latter vulnerability has been used by clients of an Israeli spyware firm called NSO to spy on dissidents, diplomats and political figures, especially in the Middle East. The other flaw has also been exploited, but there's been no public disclosure of who was hacking whom or even who discovered the vulnerability.
Sign up now to get the best Black Friday deals!
Discover the hottest deals, best product picks and the latest tech news from our experts at Tom’s Guide.
iOS 12.5.5 also fixes a new flaw, CVE-2021-30869, that permits "a malicious application" to run its own code on a device, according to Apple's security bulletin. That's thanks to "a type confusion issue" in XNU, the kernel at the heart of all current Apple operating systems including iOS and macOS.
Credit for the discovery of this vulnerability was given to Erye Hernandez and Clément Lecigne of the Google Threat Analysis Group, plus Ian Beer of Google Project Zero.
As with the other two flaws, Apple states that it "is aware of reports that an exploit for this issue exists in the wild." It's not saying any more.
However, Shane Huntley of Google's Threat Analysis Group said on Twitter that the flaw was used alongside another flaw that targeted the rendering engine powering Apple's Safari browser. He added that more information would be released toward the end of next month.
0day privilege escalation for macOS Catalina discovered in the wild by @eryeh https://t.co/yvCWPo45fLWe saw this used in conjunction with a N-day remote code execution targeting webkit.Thanks to Apple for getting patch out so quickly.September 23, 2021
The fix for CVE-2021-30869 is the entirety of the new patch for macOS Catalina. The fact that the flaw hasn't been patched in macOS Big Sur or iOS 15 indicates that it doesn't exist or is impossible to exploit on those newer operating systems.
Apple has been continuing to supply iPhones and iPads from 2013 and 2014 — the same age as the patched older Macs — with security updates for iOS 12 despite its general policy of not supporting mobile devices more than five years old.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.