Apple Issues Urgent Security Patches In Response To Active Attacks On Zero-Day Bugs
WebKit, the browser engine that drives Safari and other third-party web browsers on iOS, has a number of flaws that enable an adversary to execute arbitrary code on target computers. The three vulnerability flaws are summarised as follows:
- CVE-2021-30663: An integer overflow vulnerability that could be exploited to craft malicious web content, which may lead to code execution. The flaw was addressed with improved input validation.
- CVE-2021-30665: A memory corruption issue that could be exploited to craft malicious web content, which may lead to code execution. The flaw was addressed with improved state management.
- CVE-2021-30666: A buffer overflow vulnerability that could be exploited to craft malicious web content, which may lead to code execution. The flaw was addressed with improved memory handling.
The development comes a week after Apple rolled out iOS 14.5 and macOS Big Sur 11.3 with a fix for a potentially exploited WebKit Storage vulnerability. Tracked as CVE-2021-30661, the use-after-free issue was discovered and reported to the iPhone maker by a security researcher named yangkang (@dnpushme) of Qihoo 360 ATA.
yangkang, along with zero keeper and bianliang, has been credited with reporting the three new flaws.
It’s worth noting that CVE-2021-30666 only affects older Apple devices such as iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation). The iOS 12.5.3 update, which remediates this flaw, also includes a fix for CVE-2021-30661.
The company said it’s aware of reports that the issues “may have been actively exploited” but, as is typically the case, failed to elaborate about the nature of attacks, the victims that may have been targeted, or the threat actors that may be abusing them.
Users of Apple devices are recommended to update to the latest versions to mitigate the risk associated with the flaws.
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.