Apple update for older phones could signal serious security alert

Even phones as far back as the iPhone 5s, released in 2013, have received update notifications  (Alvaro Reyes / Unsplash)
Even phones as far back as the iPhone 5s, released in 2013, have received update notifications (Alvaro Reyes / Unsplash)

Yesterday was a big update day for Apple, with the company listing no fewer than eight security updates to iOS, MacOS, and Safari on its security page.  As is normal with these things, the problems fixed are only described in the vaguest terms so as to avoid guiding hackers towards easy targets.

But the potential risk is clearly significant, as Apple has seen fit to issue updates to iOS 12 and macOS Big Sur. Released in 2018 and 2020 respectively, these operating systems aren’t exactly ancient, but crucially only older phones that can’t update to later versions should still be using them.

In practical terms, that means that even those running the iPhone 5s and iPhone 6 (released in 2013 and 2014 respectively) are being encouraged to update their handsets, and the same is true for those with Macs bought a decade ago, too.

As Jake Moore, global cybersecurity advisor at ESET, explains, that’s typically a sign of a very risky security threat.

“There are a lot of security patches that have passed older devices by and, due to the amount of work required, Apple will only send out updates to older phones when something rather sinister may be lurking in the background and a risk to users,” Moore tells the Standard. “This can therefore suggest that these updates are clearly urgent, without directly saying what the problems are or what they could lead to.”

What is the evidence of a security leak?

The patch notes for both iOS 12.5.7 and macOS 11.7.3 both include an update to WebKit, the browser engine underpinning Safari, so it seems the likely target.

While the accompanying text is subtly different on each listing, they both contain the following description: “Processing maliciously crafted web content may lead to arbitrary code execution”. In other words, if you open a malicious website via a phishing link or similar, nasty things can happen to your Mac or iPhone.

In the case of the latter, Apple adds that it is “aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1”, which explains why older phones are being patched.

“Criminal hackers favour targeting older devices or those which have not enabled security patches but, when this leads to bigger threats, an update will be essential to protect those devices and their data,” Moore explains.

“Those with auto updates enabled always remain the least at risk as the patches will happen automatically. So, even if your device is said to be not supported any more, it is still safer to keep auto-update turned on,” he adds.

Patches have also been issued for iOS 15, iOS 16, and macOS Monteray (iOS 13 and 14 are presumably excluded because all compatible devices can also run iOS 15 or later).

What can I do to protect my Apple devices?

If you’re on Apple hardware, it’s recommended that you update as a matter of urgency.

• On iOS, open the Settings app and then tap “General”, followed by “Software Update.”

• On Mac, click the Apple menu, then select “System Settings”, where you’ll find “Software Update” under the “General” tab in the sidebar.