Patch your Apple Devices now – Another WebKit Zero-Day is afoot.

Yesterday Apple pushed out an update to iOS, Mac OS Big Sur, and Watch OS. Bringing them it iOS 14.5.1, Big Sur 11.3.1, and Watch OS 7.4.1. These fix 2 WebKit vulnerabilities, the engine that powers the Safari browser and other web-content handlers like Mail and the App Store pages, that Apple says may already be in use by hackers. The 2 bugs are described by Apple as follows

WebKit

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A memory corruption issue was addressed with improved state management.

CVE-2021-30665: yangkang (@dnpushme)&zerokeeper&bianliang of 360 ATA

WebKit

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: An integer overflow was addressed with improved input validation.

CVE-2021-30663: an anonymous researcher

Older iOS devices running iOS 12 also got bumped to iOS 12.5.3. Interestingly, while this patch also fixes those 2 issues, it also fixes 2 more WebKit vulnerabilities, one in WebKit Storage and another in WebKit that was a buffer overflow issue. Those issues are described as follows:

WebKit

Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2021-30666: yangkang (@dnpushme)&zerokeeper&bianliang of 360 ATA

WebKit Storage

Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A use after free issue was addressed with improved memory management.

CVE-2021-30661: yangkang (@dnpushme)&zerokeeper&bianliang of 360 ATA

If you haven’t already, patch your iPhones, iPads, Mac and Watches. If these are already being exploited in the wild, that means other hackers may know about this and have been using it for a while. Additionally, when these things get brought to light, some hacking groups tend to start using it more to get as many infections as they can before everyone applies their patches. HomePods and Apple TV’s don’t appear to be affected by them at this time

Feel free to comment.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.