Apple has released security updates to patch two actively exploited iOS zero-day vulnerabilities in the WebKit engine, which hackers are using to target iPhones, iPads, iPods, macOS, and Apple Watch devices.
According to several Apple security advisories, the company is aware of a report that this iOS vulnerabilities has been actively exploited.
WebKit is Apple’s browser rendering engine, which is used by all iOS mobile web browsers as well as other HTML-rendering apps including Apple Mail and the App Store.
CVE-2021-30665 and CVE-2021-30663 are two vulnerabilities that enable arbitrary remote code execution (RCE) on compromised devices simply by visiting a malicious website.
RCE flaws allow attackers to remotely target and execute commands on compromised devices.
Yang Kang, zerokeeper, and Bian Liang of Qihoo 360 ATA discovered CVE-2021-30665, while an anonymous researcher reported CVE-2021-30663 to Apple.
The following devices are among those that have been impacted:
- iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad Mini 4 and later, and iPod touch (7th generation)
- macOS Big Sur
- Apple Watch Series 3 and later
- The zero-days were addressed by Apple in the iOS 14.5.1, iOS 12.5.3, macOS Big Sur 11.3.1, and the watchOS 7.4.1 updates.
This update also fixes a problem with App Tracking Transparency, in which certain users who had previously disabled Allow Apps to Request to Track in Settings could not receive prompts from apps after re-enabling it.
Latest in Cybersecurity: Tesla Model X hacked using DJI Mavic 2 drone