Today an update for iOS was released for both iPhone and iPad, and along with it, some real fixes. This update patches vulnerabilities and security issues of several sorts, mainly for devices released before iPhone 7 – that is, before the year 2016. If you have an iPhone or iPad newer than this, it’s still important to check for updates, especially security updates, but you’re probably fine for now.
In iOS 12.5.5, users will find fix vulnerabilities dealing with CoreGraphics, WebKit, and XNU. For XNU, a vulnerability was discovered that allowed a malicious application to execute arbitrary code with kernel privileges. Apple noted here that they were aware of reports that “an exploit for this issue exists in the wild,” but did not say that said vulnerability was actively exploited.
For WebKit, a bit of “maliciously crafted web content” could potentially lead to arbitrary code execution. This vulnerability is different from the XNU-related issue, as Apple suggests they were aware of a report in which this WebKit issue “may have been actively exploited.”
The CoreGraphics bit of this release worked by processing a maliciously crafted PDF. This vulnerability had the potential to initiate arbitrary code execution via said maliciously crafted PDF. The fix addressed an integer overflow with improved input validation.
The CoreGraphics issue was submitted by The Citizen Lab, WebKit by an anonymous researcher, and the XNU issue was submitted by Clément Lecigne of Google Threat Analysis Group, Erye Hernandez of Google Threat Analysis Group, and Ian Beer of Google Project Zero.
This update is necessary for iPhone 5s, iPhone 6 and 6 Plus, iPad Air (gen 1), iPad mini 2, iPad mini 3, and 6th-gen iPod touch. You can download this software update by opening Settings – General – Software Update. If this software update is not yet available to you, you’ll likely have access by the end of this week – hopefully sooner!