Apple released updates for iPhone, iPad, Mac, and Apple Watch today with multiple security updates. The patched flaws involved malicious web content that could lead to arbitrary code execution – and Apple says they may have been actively exploited.
Apple released iOS 14.5.1 and iOS 12.5.3, macOS 11.3.1, and watchOS 7.4.1 today with the primary changes being security fixes (App Tracking Transparency bug fix for iOS too). So be sure to install the newest updates to get the latest protection.
In support documents, Apple detailed the web flaws that were fixed. The first flaw meant that “Processing maliciously crafted web content may lead to arbitrary code execution.” Memory corruption was at play here and Apple says it fixed the issue with “improved state management.”
A second flaw also dealt with the same potential for malicious web content potentially executing arbitrary code and Apple says it also may have been exploited in the wild. On this one, Apple solved the problem with an integer overflow and “improved input validation.”
Meanwhile, for older iPhones and iPads, two additional security issues were fixed with iOS 12.5.3. Apple patched the buffer overflow/improved memory handling and also updated the “use after free issue.”
WebKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A memory corruption issue was addressed with improved state management.
CVE-2021-30665: yangkang (@dnpushme)&zerokeeper&bianliang of 360 ATA
Description: An integer overflow was addressed with improved input validation.
CVE-2021-30663: an anonymous researcher
Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation)
Description: A buffer overflow issue was addressed with improved memory handling.
CVE-2021-30666: yangkang (@dnpushme)&zerokeeper&bianliang of 360 ATA
WebKit Storage
Description: A use after free issue was addressed with improved memory management.
CVE-2021-30661: yangkang (@dnpushme)&zerokeeper&bianliang of 360 ATA