A week after releasing a major new version of iOS with a considerable number of security patches Apple has pushed an emergency update that includes fixes for two WebKit vulnerabilities that are being actively exploited.
One of the vulnerabilities is an integer overflow (CVE-2021-30663) and the other is a memory corruption bug (CVE-2021-30665), and both can lead to remote code execution on vulnerable iPhones and iPads. Apple released iOS 14.5.1 on Monday to address the vulnerabilities.
“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited,” the Apple advisory says.
Apple also pushed emergency patches in iOS 12.5.3 for two additional actively exploited WebKit vulnerabilities for older iPhones and iPads. Those two vulnerabilities are similar to the other two WebKit flaws, though one is a use-after-free flaw and the other is a buffer overflow vulnerability. Both can lead to remote code execution, and attackers have already been targeting them, according to Apple.
Since just the beginning of this year, Apple has patched seven separate WebKit vulnerabilities that were exploited in the wild.
WebKit has been the security Achilles heel of iOS, especially in the last few years as more and more vulnerabilities in the framework have emerged. Apple has spent an untold amount of time and money creating a walled garden around iOS, through the restrictions in the App Store, requirements for developer code signing, and a host of security features in iOS itself. But WebKit, which is the engine for Safari and other iOS browsers, has been a different story.
Since just the beginning of this year, Apple has patched seven separate WebKit vulnerabilities that were exploited in the wild, and virtually no regular iOS or Safari update goes by without a fix for at least one WebKit vulnerability.
Apple also released a new version of Safari for macOS Catalina and Big Sur that includes patches for the same bugs that were fixed in iOS 14.5.1.