Exploitable flaw in older iPhones patched - Mobile Security Briefing 2023.103

In late January, Apple released a security update for what most folks would consider an ancient version of iOS (iOS 12.5.7). It’s rare to see an update for an iOS version that’s 4 major versions old so anyone organization with older iOS devices should take note.

I routinely check out Apple’s security updates page to monitor for bugs that require quick mitigation. You can see the specific security contents for iOS 12.5.7 or any other release from Apple. The detailed pages always include important information including:

  • when the was update released
  • notes the date of any updates after published
  • which devices and OS versions are impacted
  • description and impact
  • includes CVE numbers

However, the CVE data may take a while to make it to the public systems like NVD so you may not a CVSS score immediately. And always look for language along this lines of this:

Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1.

which indicate an 0-day that should be addressed immediately. Just because the iOS version seems ancient doesn’t meant folks in your organization aren’t still running it. Attackers are always looking for opportunities so patch early and often!