On Monday, May 3, Apple distributed emergency patches to macOS, iPadOS, watchOS, and two different versions of iOS that fix four flaws in WebKit, the rendering engine for the Safari web browser.
Macs are now on macOS Big Sur 11.3.1. apple Watch is on watchOS 7.4.1. New iPhones and iPads will be on iOS/iPadOS 14.5.1, while older iPhones and iPads (dating back to the 2013 iPhone 5s, iPad Air, and iPad mini 2) will be on iOS 12.5.3.
Install these updates when they arrive. For each flaw, the company states that "Apple is aware of reports that this issue may have been actively exploited."
In each case, Apple states that "processing maliciously crafted web content may result in the execution of arbitrary code. In layman's terms, a web page could be created to remotely hack a Mac, iPhone, iPad, or Apple Watch. [Three of the four flaws, assigned catalog numbers CVE-2021-30661, 30665, and 30666, are attributed to Chinese researchers Yang Kang (aka "@dnpushme"), "zerokeeper" and Bian Liang. Apple lists their affiliation as "360 ATA" and they may be part of the Qihoo 360 group; all three defects involved improper handling of memory during execution.
The fourth vulnerability, CVE-2021-30663, is described as "anonymous researcher". The flaw is described only as an "integer overflow."
The iOS 12.5.3 update patches all four flaws. The other update patches only CVE-2021-30663 and 30665, while the other two flaws were probably fixed in a previous system update.
Apple usually reveals few details about security flaws until after most users have installed the fixes.
Apple has been busy on the information security front in recent weeks. Last week, the company released macOS 11.3, which, like the one reported today, fixes a very serious flaw that had already been exploited by hackers. Like the four flaws disclosed today, this is meant to be a "zero-day flaw". A zero-day flaw is so called because the defending developer has only zero days to apply the patch before the flaw is exploited.
In early April, German researchers announced that Apple's AirDrop wireless file-sharing protocol could be exploited to leak users' contact information to anyone nearby. The flaw does not appear to have been fixed in today's update.
Comments