- Apple has addressed three zero-day flaws on WebKit, and the patches are already available.
- No details were given, but they are all easy and stealthily to exploit just by leading the victim to a malicious website.
- The WebKit has proven to be a reliable source of headaches for Apple’s security engineers.
Apple has found out about another bunch of zero-days that are under active exploitation in the wild, and they are all on WebKit, Safari’s engine. The fixes arrive through iOS 14.5.1, iOS 12.5.3, iPadOS 14.5.1, macOS Big Sur 11.3.1, and watchOS 7.4.1.
As such, users of Apple devices that run on the aforementioned operating systems are advised to apply the available patch immediately and shut the door to the exploitation. In all cases, the exploits can be triggered by merely visiting a malicious (but seemingly innocuous) website, so the trouble is introduced silently and without any user interaction.
The full list of the flaws and their impact is the following:
- CVE-2021-30665: A memory corruption flaw in WebKit that could allow maliciously crafted web content to lead to arbitrary code execution on the target device. Affects iOS, iPadOS, macOS, and watchOS.
- CVE-2021-30663: An integer overflow vulnerability in WebKit, potentially allowing arbitrary code execution through maliciously crafted web content. Affects iOS, iPadOS, and macOS.
- CVE-2021-30666: Buffer overflow bug setting the ground for arbitrary code execution through the processing of maliciously crafted web content. Affects legacy iOS 12.5 and is fixed with version 12.5.3.
All of these flaws are being actively exploited in the wild, targeting mostly users of the iPhone. We have seen the same WebKit zero-day trouble on iOS 14.4 in March 2021, in an earlier version of the same branch in January 2021, and on iOS 14.2 in November 2020. WebKit zero-days appear to be the biggest source of headaches for Apple, and the most valuable target for malicious actors, exploit developers, and exploit sellers.
As always, Apple hasn’t elaborated much on the exploitation aspect, not giving away details like who engaged against whom, the scale of the exploitation, the number of potentially affected users, attack themes, IoCs, websites used, etc. This is unfortunate, but it is Apple’s typical approach on the matter, so we’ll have to accept it and just apply the patches as they come.