Apple issues urgent patch to address flaws under active attacks

It is unclear who is exploiting the zero-days, and who the target is

Apple has released multiple security updates to address four critical security bugs impacting iOS, macOS and watchOS.

Apple said it was aware of a report that the issue 'may have been actively exploited' by threat actors.

These patched vulnerabilities are indexed as CVE-2021-30665, CVE-2021-30663, CVE-2021-30666 and CVE-2021-30661.

Both CVE-2021-30665 and CVE-2021-30663 reside in Apple's Webkit browser engine; an attacker could use them to remotely execute arbitrary code on fully up-to-date devices after a user visits a malicious website. Affected devices include the iPhone 6 and later; iPad Mini 4 and later; iPod Touch (7th generation); iPad Air 2 and later; iPad Pro (all models); iPad 5th generation and later; macOS Big Sur; and Apple Watch Series 3 and later.

Researchers from China-based security firm Qihoo 360 ATA found CVE-2021-30665, while an anonymous researcher found CVE-2021-30663.

CVE-2021-30661 is another code execution bug, this time in the iOS Webkit. Apple patched it in iOS 14.5 and macOS 11.3 last week, but missed iOS 12. The new iOS 12.5.3 update addresses that.

CVE-2021-30666, a buffer overflow issue, also applies to iOS 12. Apple addressed this flaw with improved memory handling in the 12.5.3 update.

Apple did not provide any details regarding who was exploiting the zero-days or whom they were targetting.

Following Monday's release, the latest version of iOS and iPadOS is 14.5.1, while for macOS and watchOS, the latest versions are 11.3.1 and 7.4.1, respectively.

iOS 14.5.1 also addresses an issue in the newly released App Tracking Transparency feature rolled out in the previous version. The bug prevented users from seeing App Tracking Transparency prompts within apps.

The new patches come more than a month after Apple released an update for iPhones, iPads and Apple Watches, to address another zero-day bug under active attack.

The bug, CVE-2021-1879, also targeted Webkit. Attackers could leverage the flaw to launch universal cross-site scripting attacks after tricking a user into opening malicious web content. Apple addressed the bug by improving object lifetime management in iOS 14.4.2, iOS 12.5.2 and watchOS 7.3.3.

The company also addressed three zero-day bugs - CVE-2021-1870, CVE-2021-1871 (affecting WebKit) and CVE-2021-1782 in iOS kernel - in January, which criminals could use to achieve remote code execution after elevating privileges on a vulnerable system.