Apple has released iOS 12.5.5 and Security Update 2021-006 for macOS 10.15 Catalina to address some particularly concerning security holes.
iOS 12.5.5 fixes three vulnerabilities. The first is the PDF vulnerability that enabled the Pegasus spyware used against activists. Apple fixed that in its more-current operating systems earlier this month (see “macOS 11.6 Big Sur, iOS 14.8, iPadOS 14.8, watchOS 7.6.2, and Security Update 2021-005 Catalina Fix Security Flaws,” 13 September 2021).
As for the other two vulnerabilities, one is a WebKit flaw that could lead to arbitrary code execution, and the other is a bug in the Darwin XNU kernel that allows an attacker to execute code with kernel privileges. Security Update 2021-006 Catalina fixes only the kernel bug. Apple notes that all three vulnerabilities have been exploited in the wild.
If you’re still running either of these older operating systems, you should update immediately. You can install iOS 12.5.5 in Settings > General > Software Update and Security Update 2021-006 Catalina in System Preferences > Software Update.
Interestingly, Apple words its awareness of the exploits in two different ways. For the PDF and WebKit vulnerabilities, the company says, “Apple is aware of a report that this issue may have been actively exploited.” For the XNU vulnerability, it says, “Apple is aware of reports that an exploit for this issue exists in the wild.” The difference could be random, relate purely to the number of reports, or mean something specific.