The flaws affected the iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation) as well as older macOS versions.
Apple has urged users of older mobile and desktop devices to update their software immediately, as a vulnerability could allow an attacker to take full control of their device.
Apple has pushed out important security updates for older iPhone, iPad, and iPod models to address zero-day vulnerabilities.
An out-of-bounds write error is addressed by the patches, which can be exploited to take control of the impacted device.
The US Cybersecurity and Infrastructure Agency (CISA) has published an advisory (HT213428) that urges users and IT administrators to review it and install the necessary updates.
Flaws in the software are listed in the Common Vulnerabilities and Exposures (CVE) database, a system that’s funded by a division of the US Department of Homeland Security (DHS) ensuring public disclosure of security vulnerabilities and exposures.
Apple initially declined a request for comment on whether the vulnerabilities had come to its attention through active exploits. However, its security update noted “Apple is aware of a report that this issue may have been actively exploited.”
Jack Gold, principal analyst at J. Gold Associates, LLC says web pages can be designed in such a way that they cause code to run on the device outside of the normal containment and create a malware situation on the device that may jeopardize data, contacts, location, and insert malicious software.
“It’s a big deal,” says Gold
Gold says that because the issue only affects older devices, there are relatively few devices that are at risk.
“Regardless, anyone with one of those devices should update as soon as possible,”
According to Gold the limited number of devices at risk, given the fact that the issue only affects older models, should prompt users of those models to take action as soon as possible. He also stresses the devices should be updated as soon as possible.
Older devices without patches are particularly vulnerable to cybercriminals, who especially enjoy exploiting those vulnerabilities to gain complete control and access to other systems and services.
Malwarebytes said in a blog post attackers could lure a victim to a specially crafted website or use malvertising to compromise a vulnerable system by means exploiting the vulnerability
“Apple’s HTML rendering software (WebKit) is vulnerable, so Macs, iPhones, and iPads might be tricked into running unauthorised code.” said Malwarebytes
Apple advises users to upgrade to iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1 to fix the issue.