On 3 May 2021, Apple released fixes for two actively-exploited vulnerabilities in the Webkit engine that can be used to attack iPhones, iPads, iPods, macOS, and Apple Watch devices. We recommend applying the latest updates as soon as possible.
- Apple addressed the flaws in the iOS 14.5.1, iOS 12.5.3, macOS Big Sur 11.3.1, and the watchOS 7.4.1 updates.
- One flaw, tracked as CVE-2021-30665, is a memory corruption issue. Another flaw, CVE-2021-30663, is an integer overflow which is now addressed with improved input validation.
- Both vulnerabilities could allow arbitrary remote code execution (RCE) on vulnerable devices if a victim visits a maliciously-crafted web page.
- We recommend applying the latest updates as soon as possible as actively-exploited flaws present high risk to unpatched devices.
- If you don’t have automatic updates enabled, on iOS and iPadOS, go to the Settings -> General -> Software Update.
The flaw requires user interacation to exploit it, and this is a good reminder for users not to click on any links from unknown sources.