Apple fixes four zero-days under attack

A week after Apple patched a macOS zero-day exploited by Shlayer malware for months for months, the company has released new security updates for macOS, iOS, iPadOS and watch OS that plug four additional zero-days that “may have been actively exploited”.

The fixed Apple zero-days

macOS Big Sur 11.3.1, iOS 14.5.1 and iPadOS 14.5.1 fix:

• CVE-2021-30665 – a memory corruption issue in WebKit that could lead to arbitrary code execution when a user views (i.e., Safari processes) maliciously crafted web content
• CVE-2021-30663 – an integer overflow vulnerability in WebKit that allows the same thing in the same way

WatchOS 7.4.1 plugs only the first of those security holes (CVE-2021-30665), while iOS 12.5.3 fixes both, as well as two other vulnerabilities that may have been exploited in the wild: CVE-2021-30666 (a buffer overflow issue in WebKit) and CVE-2021-30661 (a use after free issue in WebKit Storage), both of which may lead to arbitrary code execution when a user loads maliciously crafted web content.

WebKit is a browser engine developed by Apple and used by Safari on macOS, iOS and iPadOS. Though watchOS doesn’t have the Safari app, it has WebKit so that Apple Watch users can open web content on the device.

Three of the four fixed vulnerabilities have been flagged by researchers from Beijing-based security firm Qihoo 360, the remaining one by an anonymous researcher.

As per usual, Apple has not shared specific details about the fixed flaws or explained in which attacks they are being exploited. Users are advised to update their Apple devices as soon as possible.