Last year, on the last day of August 2022, we wrote with mild astonishment and maybe even a little touch of excitement about an unexpected but rather important update for iPhones stuck on iOS 12.
As we noted at the time, we had already decided that iOS 12 had slipped (or perhaps quietly been pushed) off Apple’s radar and would never be updated again, given that the previous update had been a year before that, back in September 2021 .
But we had to scrap that decision when iOS 12.5.6 appeared unexpectedly and fixed a mysterious zero-day bug that had been fixed several weeks earlier in Apple’s other products.
Given that the iOS 12 bug fixed back then was in WebKit, Apple’s web rendering engine used in all web browsers on iDevices, not just Safari; given that real-world attackers were already known to exploit the hole; given that browser bugs almost always mean that simply looking at a seemingly innocent and unimportant looking web page can be enough to implant spyware on your phone in the background…
…we decided iOS 12.5.6 was an important update to get:
Updates you thought you’d never see are important to check up on, especially if you own an older “backup” iPhone that you don’t use every day anymore, or that you’ve passed on to a less tech-savvy member of your family.
Well, here’s some déjà vu again: Apple’s latest updates just dropped, and as far as we can tell, there’s only one zero-day fix among the updates, and again, it’s for iOS 12.
Just as importantly, this patch also fixes a hole in WebKit that sounds like it’s already been abused by attackers to implant malware.
As it happens, this is the only bug that has been fixed iOS 12.5.7 update and it has the official bug number CVE-2022-42856
A bell rings
If the error number CVE-2022-42856 rings a bell, it’s probably because Apple fixed it in two rounds of updates for all its other products in December 2022.
First, there was a mysterious round of updates that turned out not to be a round so much as a solo effort that patched iOS 16.1 up to iOS 16.2.
No other devices in the Apple stable were updated, not even iOS 15, the previous version of iOS that some users stuck with by choice and others because their older phones couldn’t be upgraded to iOS 16.
Second, a few weeks later came the updates that somehow felt like they were delayed from the first “round”.
At this point, Apple rather curiously (or perhaps we mean confusingly?) admitted that the update already published for iOS 16 was actually a patch against CVE-2022-42856, which had been a zero-day bug all along. .
…but a zero-day that only applied to iOS 15.1 and earlier.
In other words, the early availability of the iOS 16.1.2 update, while it did no harm, turned out to have been a “fix” for the one version of iOS that didn’t need it.
The early iOS 16 update would have much more usefully made its first appearance as an iOS 15 patch instead.
Now iOS 12 joins the club
As you already know because we mentioned the bug number above, there is now a delayed zero-day patch for the same bug that applies to Apple’s oldest existing iOS flavor, namely iOS 12.
Get this update now because the bad guys have known about it for at least two months.
(We’re guessing that the attackers developed a keen interest in fine-tuning their CVE-2022-42856 exploit for iOS 12 as soon as the more widely used iOS 15 got its updates in late 2022.)
Go to Settings > General > Software update to check if you already have the patch, or to force an update if you don’t:
Many other updates too
For all that the critical iOS 12 zero-day patch fixes one and only one listed bug, Apple’s other products are getting a wide variety of patches, though we didn’t find any listed as “already actively exploited”.
In other words, none of the many bugs fixed in products other than iOS 12 count as zero days, and so you’re patching right away, getting ahead of the bad guys, not just catching up to them .
The updated version numbers you are looking for after you have installed the patches are as follows with their security bulletins for easy reference and the hardware products they apply to:
- Bulletin HT213597: iOS 12.5.7. For iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3 and iPod touch (6th generation).
- Bulletin HT213603: macOS Big Sur 11.7.3. Typically used on older Macs that don’t support the latest versions, such as the original 12″ MacBook from 2015.
- Bulletin HT213604: macOS Monterey 12.6.3.
- Bulletin HT213605: macOS Ventura 13.2.
- Bulletin HT213598: iOS 15.7.3 and iPadOS 15.7.3. iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation) and iPod touch (7th generation).
- Bulletin HT213606: iOS 16.3 and iPadOS 16.3. iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
- Bulletin HT213599: watchOS 9.3: Apple Watch Series 4 and later.
As usually happens with Mac updates, there is a new version of the WebKit rendering engine and Safari browser, called Safari 16.3, presumably to match the major product version number listed above, namely iOS 16.3 and iPadOS 16.3
If you have the latest version of macOS, namely macOS Ventura 13, this new Safari version comes with the macOS update, so that’s all you need to download and install.
But if you’re still on macOS 11 Big Sur or macOS 12 Monterey, Safari patches come as a separate download, so there will be two updates waiting for you, not one. (The second update is not one you forgot from last time!)
What to do?
On macOS, you’ll need: Apple menu > About this Mac > Software update…
As mentioned above, on iPhones and iPads, use: Settings > General > Software update.
Don’t delay, especially if you’re still running an iOS 12 device…
… do it today!