Over the past week, Apple has rolled out some important security updates—including updates to iOS 16, iOS 15, and even iOS 12 to protect iPhones from a major vulnerability that’s still in the wild. That extends to older iPhone models too.
Although the iPhone 5s was released back in 2013 and discontinued in 2016, it still gets the occasional crucial software update from Apple. The newest software for these older devices, iOS 12.5.7, was released last week and patches a bug with the catchy name of CVE-2022-42856 in older iPhones and iPads, including the iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).
For the newer versions of iPhones, CVE-2022-42856 was squashed at the end of November as part of iOS 16.1.2. It was also dealt with on other devices with the release of iOS 15.7.2, iPadOS 15.7.2, tvOS 16.2, and macOS Ventura 13.1. Basically, if you’ve been tapping “Remind Me Tomorrow” on your Apple updates for a few weeks, now is the time to do it.
First spotted late last year by Clément Lecigne of Google’s Threat Analysis Group, CVE-2022-42856 is a bug in Apple’s browser engine, WebKit, that allows an attacker to create malicious web content that can execute code on iPhones, iPads, Macs, and even Apple TVs. While everyone is a little cagey about the specifics of the exploit so that more bad actors can’t figure it out, it has a “High” severity score. That’s on a scale that goes None, Low, Medium, High, and then Critical. It’s based on both how much control these kind of exploits give attackers and how easily and widely they can be implemented.
Crucially, Apple said on January 23 that it has received reports that this issue is being “actively exploited.” In other words, there are hackers out there using it to target Apple devices—including older devices running iOS 12—so it’s best to update to stay safe.
As well as CVE-2022-42856, iOS 16.3, iPadOS 16.3, macOS Ventura 13.2, and watchOS 9.3, which were released last week, squash a long list of vulnerabilities. Among them are two more WebKit bugs that could allow attackers to execute malicious code, two macOS denial-of-service vulnerabilities, and two macOS kernel vulnerabilities that could be abused to reveal sensitive information, execute malicious code, or determine details about its memory structure—possibly allowing for further attacks.
But these latest updates don’t just deal with bugs. After being announced last year, Apple has added support for security keys to Apple IDs. Basically, when you log in to your Apple ID, instead of getting a two-factor authentication (2FA) code sent to your phone which can be intercepted by hackers, you can use a hardware security key that connects to your Apple device over USB port, Lightning port, or NFC. It’s significantly more secure because an attacker would have to physically steal your security key and learn your password to gain access to your account.
To get started with setting your phone up with a hardware security system, you need at least two FIDO certified security keys that are compatible with your Apple devices, just in case you lose one. Apple recommends the YubiKey 5C NFC or YubiKey 5Ci for most Mac and iPhone models, and the FEITAN ePass K9 NFC USB-A for older Macs. You also need your devices updated to iOS 16.3 and macOS Ventura 13.2. Once you’re ready, you can connect your security keys to your account in the Password & Security section of the relevant Settings app.