Apple has fastened two iOS zero-day vulnerabilities that “could have been actively exploited” to hack into older iPhone, iPad, and iPod units.
The 2 bugs (tracked as CVE-2021-30761 and CVE-2021-30762) are brought on by reminiscence corruption and use after free points within the WebKit browser engine, each discovered and reported by nameless researchers.
Webkit is a browser rendering engine utilized by Apple net browsers and purposes to render HTML content material on desktop and cellular platforms, together with iOS, macOS, tvOS, and iPadOS.
Attackers may exploit the 2 vulnerabilities utilizing maliciously crafted net content material that might set off arbitrary code execution after being loaded by the targets on unpatched units.
Impacted units embody older:
- iPhones (iPhone 5s, iPhone 6, iPhone 6 Plus).
- iPads (iPad Air, iPad mini 2, iPad mini 3).
- and the iPod contact (sixth technology).
“Apple is conscious of a report that this concern could have been actively exploited,” Apple mentioned when describing the 2 iOS 12.5.4 vulnerabilities.
Regular stream of exploited zero-days
Since March, we have seen a neverending stream of zero-day bugs—9 of them in complete—exhibiting up in Apple’s safety advisories, most of them additionally tagged as having been exploited in assaults.
Final month, Apple patched a macOS zero-day (CVE-2021-30713) utilized by the XCSSET malware to bypass Apple’s TCC protections designed to safeguard its customers’ privateness.
Apple additionally addressed three zero-days (CVE-2021-30663, CVE-2021-30665, and CVE-2021-30666) in Could, bugs discovered within the Webkit engine permitting arbitrary distant code execution (RCE) on susceptible units just by visiting malicious web sites.
The corporate additionally issued safety updates to handle another iOS zero-day (CVE-2021-1879) in March and zero-days in iOS (CVE-2021-30661) and macOS zero-day (CVE-2021-30657) in April.
The latter was exploited by Shlayer malware to bypass Apple’s File Quarantine, Gatekeeper, and Notarization safety checks.