Apple on Monday released security updates for iOS, macOS, and watchOS to address three zero-day flaws and expand patches for a fourth vulnerability that the company said might have been exploited in the wild.
The weaknesses all concern WebKit, the browser engine which powers Safari and other third-party web browsers in iOS, allowing an adversary to execute arbitrary code on target devices. A summary of the three security bugs are as follows -
- CVE-2021-30663: An integer overflow vulnerability that could be exploited to craft malicious web content, which may lead to code execution. The flaw was addressed with improved input validation.
- CVE-2021-30665: A memory corruption issue that could be exploited to craft malicious web content, which may lead to code execution. The flaw was addressed with improved state management.
- CVE-2021-30666: A buffer overflow vulnerability that could be exploited to craft malicious web content, which may lead to code execution. The flaw was addressed with improved memory handling.
The development comes a week after Apple rolled out iOS 14.5 and macOS Big Sur 11.3 with a fix for a potentially exploited WebKit Storage vulnerability. Tracked as CVE-2021-30661, the use-after-free issue was discovered and reported to the iPhone maker by a security researcher named yangkang (@dnpushme) of Qihoo 360 ATA.
yangkang, along with zerokeeper and bianliang, have been credited with reporting the three new flaws.
It's worth noting that CVE-2021-30666 only affects older Apple devices such as iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation). The iOS 12.5.3 update, which remediates this flaw, also includes a fix for CVE-2021-30661.
The company said it's aware of reports that the issues "may have been actively exploited" but, as is typically the case, failed to elaborate about the nature of attacks, the victims that may have been targeted, or the threat actors that may be abusing them.
Users of Apple devices are recommended to update to the latest versions to mitigate the risk associated with the flaws.
Update: Apple has also released a new version of Safari 14.1 for macOS Catalina and macOS Mojave, with the update introducing fixes for the two WebKit flaws CVE-2021-30663 and CVE-2021-30665. The update comes a day after patches were shipped for iOS, macOS, and watchOS.