Apple has patched two iOS zero-day flaws that “could have been actively exploited” to gain access to older iPhone, iPad, and iPod devices.
Memory corruption and use after free vulnerabilities in the WebKit browser engine are the causes of the two bugs (identified as CVE-2021-30761 and CVE-2021-30762), which were both discovered and reported by anonymous researchers.
Apple’s web browsers and applications use Webkit to render HTML content on desktop and mobile platforms, including iOS, macOS, tvOS, and iPadOS.
Impacted devices include older:
- iPhones (iPhone 5s, iPhone 6, iPhone 6 Plus).
- iPads (iPad Air, iPad mini 2, iPad mini 3).
- and the iPod touch (6th generation).
When it came to the two iOS 12.5.4 flaws, Apple claimed, that Apple is aware of a report that the vulnerabilities may have been actively exploited.
Apple, however, didn’t provide details about the attacks, the victims who may have been targeted, or the threat actors who may be exploiting them.
Since March, Apple’s security reports have been flooded with zero-day bugs—nine in total—the majority of which have been classified as having been exploited in attacks.
Last month, Apple patched a macOS zero-day (CVE-2021-30713) exploited by the XCSSET malware to get around Apple’s TCC privacy measures.
In May, Apple patched three zero-day vulnerabilities in the Webkit engine (CVE-2021-30663, CVE-2021-30665, and CVE-2021-30666), which allowed arbitrary remote code execution (RCE) on vulnerable devices merely by visiting malicious websites.
In March, Apple released security updates to fix yet another iOS zero-day (CVE-2021-1879), as well as zero-days in iOS (CVE-2021-30661) and macOS (CVE-2021-30657).
Shlayer malware took advantage of this flaw to go beyond Apple’s File Quarantine, Gatekeeper, and Notarization security procedures.
Users of Apple devices are advised to update to the most recent versions of software updates in order to reduce the risk of the vulnerabilities.
Related: Apple releases fixes zero-day vulnerabilities for its operating systems
Also read: SEO poisoning used to backdoor targets with malware