Discovered by an anonymous researcher, Apple said it is aware of a report that the flaw ‘may have been actively exploited’.
Apple has released a security update for older iPhones and iPads running on iOS 12 to patch a vulnerability that could let a malicious website run unchecked code on the device.
Users of the iPhone 5S, iPhone 6, iPhone 5 Plus, iPad Air, iPad Mini 2, iPad Mini 3 and iPod Touch (6th generation) are now advised to update to iOS 12.5.6 to protect their devices.
The software giant posted a security advisory yesterday (31 August) saying “an out-of-bounds write issue was addressed with improved bounds checking”.
The patches were backported from an update two weeks ago that addressed issues on iPhone 6S and later models, all iPod Pro models, iPad Air 2 and later, iPad 5th generation and later, iPad Mini 4 and later and iPod touch (7th generation).
Discovered in WebKit, the browser engine used by Safari and other apps that can access the web, the iOS 12 vulnerability may allow hackers to run arbitrary code execution on devices that access malicious websites.
Apple said that it is aware of a report that this issue “may have been actively exploited”. It attributed an anonymous researcher with the discovery of the security flaw.
Older devices running on iOS 12 were not impacted by a second recently discovered vulnerability that affected the kernels of operating systems – a core component of any OS with the highest privileges. This could have given hackers the ability to execute any commands and effectively take control of a device.
These types of vulnerabilities have been exploited by malicious actors in the past, notably with the use of Pegasus spyware. Last September, Apple issued an urgent update to address a security flaw that could be exploited to infect iOS devices with the spyware.
Everyone with iPhones and iPads on iOS 12 should update their devices immediately.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.