Apple today released updates for iPhone, iPad, Mac and Apple Watch with several security improvements, including a fix for an issue in the ATT framework. However, the patched vulnerabilities also affected malicious web content that could lead to the execution of arbitrary code. Apple says these were actively exploited.
Apple today released iOS 14.5.1, iPadOS 14.5.1, watchOS 7.4.1, macOS Big Sur 11.3.1 as well as iOS 12.5.3 and iPadOS 12.5.3 published, with the changes being primarily security fixes. A bug in the ATT (App Tracking Transparency) framework was also fixed. But that's not all.
iOS 14.5.1 & Co.: Apple fixes serious security vulnerabilities
Apple now has two support documents updated and detailed the corresponding WebKit bugs. The first vulnerability allows "processing of maliciously crafted web content that can lead to arbitrary code execution." This involved memory corruption. According to Apple, the problem was fixed with "improved state management." A second bug affected the same potential for malicious web content that can lead to arbitrary code execution. According to the company, this vulnerability was also exploited. In this case, Apple fixed the problem with an integer overflow and "improved input validation." The documentation states the following:
WebKit
- Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
- Description: A memory corruption issue was resolved through improved state management.
- CVE-2021-30665: yangkang (@dnpushme)&zerokeeper&bianliang from 360 ATA
WebKit
- Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
- Description: An integer overflow was fixed with improved input validation.
- CVE-2021-30663: An anonymous researcher
In the meantime, two more security vulnerabilities were also identified for older iPhones and iPads with iOS 12.5.3 fixed. Apple has patched the buffer overflow/improved memory handling and also updated the use after free issue.
WebKit
- Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation)
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
- Description: A buffer overflow problem was fixed through improved memory handling.
- CVE-2021-30666: yangkang (@dnpushme)&zerokeeper&bianliang from 360 ATA
WebKit storage
- Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3 and iPod touch (6th generation)
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
- Description: A "use after free" issue was resolved through improved memory management.
- CVE-2021-30661: yangkang (@dnpushme)&zerokeeper&bianliang from 360 ATA
Today's updates fix several serious security vulnerabilities, so please make sure you install the latest versions to stay protected. (Photo by dolgachov / Bigstockphoto)
