Apple Fixes Three Zero-Day Flaws That Are Under Active Exploitation

  • Apple has addressed three zero-day flaws on WebKit, and the patches are already available.
  • No details were given, but they are all easy and stealthily to exploit just by leading the victim to a malicious website.
  • The WebKit has proven to be a reliable source of headaches for Apple’s security engineers.

Apple has found out about another bunch of zero-days that are under active exploitation in the wild, and they are all on WebKit, Safari’s engine. The fixes arrive through iOS 14.5.1, iOS 12.5.3, iPadOS 14.5.1, macOS Big Sur 11.3.1, and watchOS 7.4.1.

As such, users of Apple devices that run on the aforementioned operating systems are advised to apply the available patch immediately and shut the door to the exploitation. In all cases, the exploits can be triggered by merely visiting a malicious (but seemingly innocuous) website, so the trouble is introduced silently and without any user interaction.

The full list of the flaws and their impact is the following:

  • CVE-2021-30665: A memory corruption flaw in WebKit that could allow maliciously crafted web content to lead to arbitrary code execution on the target device. Affects iOS, iPadOS, macOS, and watchOS.
  • CVE-2021-30663: An integer overflow vulnerability in WebKit, potentially allowing arbitrary code execution through maliciously crafted web content. Affects iOS, iPadOS, and macOS.
  • CVE-2021-30666: Buffer overflow bug setting the ground for arbitrary code execution through the processing of maliciously crafted web content. Affects legacy iOS 12.5 and is fixed with version 12.5.3.

All of these flaws are being actively exploited in the wild, targeting mostly users of the iPhone. We have seen the same WebKit zero-day trouble on iOS 14.4 in March 2021, in an earlier version of the same branch in January 2021, and on iOS 14.2 in November 2020. WebKit zero-days appear to be the biggest source of headaches for Apple, and the most valuable target for malicious actors, exploit developers, and exploit sellers.

As always, Apple hasn’t elaborated much on the exploitation aspect, not giving away details like who engaged against whom, the scale of the exploitation, the number of potentially affected users, attack themes, IoCs, websites used, etc. This is unfortunate, but it is Apple’s typical approach on the matter, so we’ll have to accept it and just apply the patches as they come.

Latest
How to Watch Interior Design Masters Season 4 Online from Anywhere
Fans of this reality show, which offers ambitious designers a chance to demonstrate their abilities and pursue their dreams of becoming professional...
How to Watch Rock The Block Season 4 Online: Stream the Renovation Series from Anywhere
Rock the Block, the smash hit home remodeling contest series, is back for its most fantastic season ever! The new six-episode season...
How to Watch Spring Baking Championship Season 9 Online: Stream the Cooking Competition from Anywhere
There’s no better way to welcome spring with some freshly baked goods, and that’s precisely how we’ll usher in the good weather...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari