Apple has released iOS 12.5.4 to address two critical flaws currently under active exploitation by malicious actors. The two vulnerabilities are tracked as “CVE-2021-30761” and “CVE-2021-30762”, and they both are on the WebKit engine of the Safari web browser. In addition to these actively exploited flaws, there’s also “CVE-2021-30737,” which is addressed through the latest patch and which is a memory corruption issue in the ASN.1 decoder that could lead to arbitrary code execution. For this one, Apple has no signs or reports of exploitation, so it’s being addressed out of precaution.
WebKit is a persistent nag for Apple, plaguing old and new versions of the iOS, keeping its security engineers busy or at least under pressure. In this case, the implications of the two flaws include the processing of maliciously crafted web content that may lead to arbitrary code execution. In the first case, the issue is a memory corruption addressed with improved state management, and in the second, it's a use-after-free problem addressed with better memory management.
The typical exploitation method for flaws of this kind is to trick the target into visiting a certain website that contains maliciously crafted web content. As such, the exploitation potential is wide and covers many things, so users should be very wary of what links they end up tapping and in what way they got them in the first place. Also, it is important to note that the exploit of these flaws is very silent, so the victim seldom realizes the trouble they got into.
The iOS 12 was released back in September 2018, and it still receives some security updates from Apple because there’s still a respectable number of devices out there relying upon it. That would include the iPhone 5s, iPhone 6, iPhone 6 Plus, the iPad Air, iPad mini 2, iPad mini 3, and the sixth generation of the iPod touch. In 2021 alone, iOS 12 has received four security updates, which keeps the old mobile operating system safe and secure today.