Apple has recently fixed two zero-day bugs affecting its WebKit component. Exploiting the vulnerabilities could allow for arbitrary code execution.
Apple Patched WebKit Zero-Day Bugs
Recently, Apple has rolled out an out-of-band update for iPhone and iPad users. This update brings out the version iOS 12.5.4. Updating to this version is important for all users since it addresses two serious vulnerabilities under attack.
As elaborated in its advisory, Apple patched a total of three security vulnerabilities that include two zero-day bugs affecting WebKit.
Specifically, WebKit is the browser engine empowering all iOS web browsers including Apple Safari.
The first of these, CVE-2021-30761, was a memory corruption issue, whereas, the second, CVE-2021-30762, was a use-after-free flaw. Regarding the impact of both the vulnerabilities, the advisory states,
Processing maliciously crafted web content may lead to arbitrary code execution.
The tech giant also confirmed to know the exploitation of the bugs.
Apple is aware of a report that this issue may have been actively exploited.
Both the reports were tipped by an anonymous researcher. Consequently, Apple released the fixes for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th gen).
Alongside these two, the Cupertino giant fixed another security vulnerability that remained safe from exploitation. This flaw appeared due to a vulnerable code in the ASN.1 decoder, exploiting which could lead to code execution.
However, Apple patched this memory corruption flaw (CVE-2021-30737) by removing the vulnerable code.
Since the patches are out, users must ensure updating their devices at the earliest to stay protected against potential attacks.
These fixes arrive just a month after Apple addressed three other zero-day vulnerabilities in macOS/tvOS. One of these vulnerabilities even went under attack by the XCSSET malware since exploiting the bug allowed stealing data.
Let us know your thoughts in the comments.