Apple hurries out fixes for WebKit zero-days

Apple dropped updates on Monday for iOS, macOS and watchOS in response to in-the-wild attacks on its WebKit browser engine.

The macOS Big Sur 11.3.1, iOS/iPadOS 14.5.1 and iOS 12.5.3 each include fixes for CVE-2021-30665 and CVE-2021-30663. Both flaws are present in WebKit, the engine Apple uses as the basis for its Safari desktop browser and multiple components of iOS.

Each bug enables an attacker to run arbitrary code and commands by way of a poisoned web page. In the case of CVE-2021-30665, discovered by a trio of researchers at Chinese security vendor Qihoo 360 ATA, the exploit is carried out by way of a memory corruption error that allows code injection. CVE-2021-30663, detected by an anonymous researcher, is blamed on an integer overflow error caused by improper handling of user input.

On Mac desktops and notebooks, the bugs could be used to covertly install malware, such as ransomware or data harvesting tools. For iOS devices, the more likely aim would be to tamper with the firmware and security settings on a victim's device. These sorts of arbitrary code execution bugs are also favorites with the iOS jailbreaking community, as they enable automated installation of tools that let users connect to software outside of the Apple-approved iOS App Store.

In both cases, Apple warns of ongoing attacks in the wild; the update advisory for both zero-day vulnerabilities said the company is "aware of a report that this issue may have been actively exploited." Apple did not provide any details as to how widespread the exploits were in their scope; often these zero-day exploits are seen in very limited targeted attacks.

SearchSecurity contacted researchers at Qihoo 360 ATA but had not heard back from them at press time.

Users and administrators should immediately install these updates now that word of the attacks is out and widespread use of the exploit code with automated attack tools is likely.

Those who use or manage older iPhones and iPads running iOS 12.5 will want to make sure the 12.5.3 update is installed. In addition to the above-mentioned vulnerabilities, Apple engineers have released fixes for two actively exploited security flaws that are not present in newer versions of iOS.

CVE-2021-30661 is a code execution flaw created by a use-after-free condition, while CVE-2021-30666 is triggered by a buffer overflow error. In each case, the result is the same -- an attacker can execute arbitrary code by way of malicious web content. Both bugs were discovered by the same Qihoo 360 ATA trio that found and reported CVE-2021-30665.

While not necessarily a top priority like the iOS and macOS patches, the watchOS 7.4.1 patch should also be applied by those owning an Apple Watch Series 3 or later. That update contains a fix for CVE-2021-30665, the lone WebKit flaw on Apple's smartwatch.