Apple fixes two actively exploited flaws

On 3 May 2021, Apple released fixes for two actively-exploited vulnerabilities in the Webkit engine that can be used to attack iPhones, iPads, iPods, macOS, and Apple Watch devices. We recommend applying the latest updates as soon as possible.

Details

• Apple addressed the flaws in the iOS 14.5.1, iOS 12.5.3, macOS Big Sur 11.3.1, and the watchOS 7.4.1 updates.
• One flaw, tracked as CVE-2021-30665, is a memory corruption issue. Another flaw, CVE-2021-30663, is an integer overflow which is now addressed with improved input validation.
• Both vulnerabilities could allow arbitrary remote code execution (RCE) on vulnerable devices if a victim visits a maliciously crafted web page.

Recommendations

• We recommend applying the latest updates as soon as possible as actively-exploited flaws present high risk to unpatched devices.
• If you don't have automatic updates enabled, on iOS and iPadOS, go to Settings -> General -> Software Update.
• The flaw requires user interaction to exploit it, and this is a good reminder for users not to click on any links from unknown sources.

References

• Apple