Apple on Monday shipped out-of-band security patches to address two zero-day vulnerabilities in iOS 12.5.3 that it states are being actively exploited in the wild.
The most up-to-date update, iOS 12.5.4, will come with 3 security fixes, such as a memory corruption issue in the ASN.1 decoder (CVE-2021-30737) and two flaws concerning the WebKit browser motor that could be abused to attain distant code execution —
- CVE-2021-30761 – A memory corruption issue that could be exploited to achieve arbitrary code execution when processing maliciously crafted web articles. The flaw was dealt with with enhanced point out management.
- CVE-2021-30762 – A use-following-free of charge issue that could be exploited to obtain arbitrary code execution when processing maliciously crafted web written content. The flaw was settled with improved memory management.
Both of those CVE-2021-30761 and CVE-2021-30762 were being described to Apple anonymously, with the Cupertino-centered enterprise stating in its advisory that it truly is aware of experiences that the vulnerabilities “could have been actively exploited.” As is generally the circumstance, Apple failed to share any details on the character of the attacks, the victims that could have been targeted, or the threat actors that may be abusing them.
A person issue evident, nonetheless, is that the active exploitation attempts have been directed from owners of older devices these as iPhone 5s, iPhone 6, iPhone 6 As well as, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th technology). The go mirrors a equivalent correct that Apple rolled out on May well 3 to remediate a buffer overflow vulnerability (CVE-2021-30666) in WebKit focusing on the identical established of devices.
Along with the two aforementioned flaws, Apple has patched a full of 12 zero-days impacting iOS, iPadOS, macOS, tvOS, and watchOS because the begin of the calendar year —
- CVE-2021-1782 (Kernel) – A destructive software may well be able to elevate privileges
- CVE-2021-1870 (WebKit) – A distant attacker may well be equipped to bring about arbitrary code execution
- CVE-2021-1871 (WebKit) – A remote attacker may perhaps be in a position to lead to arbitrary code execution
- CVE-2021-1879 (WebKit) – Processing maliciously crafted web content may direct to universal cross-web page scripting
- CVE-2021-30657 (Program Tastes) – A malicious application may bypass Gatekeeper checks
- CVE-2021-30661 (WebKit Storage)- Processing maliciously crafted web written content may direct to arbitrary code execution
- CVE-2021-30663 (WebKit) – Processing maliciously crafted web information could guide to arbitrary code execution
- CVE-2021-30665 (WebKit) – Processing maliciously crafted web content material may possibly lead to arbitrary code execution
- CVE-2021-30666 (WebKit) – Processing maliciously crafted web content material could direct to arbitrary code execution
- CVE-2021-30713 (TCC framework) – A malicious software may perhaps be equipped to bypass Privacy tastes
People of Apple devices are encouraged to update to the latest variations to mitigate the risk affiliated with the vulnerabilities.
Found this post intriguing? Comply with THN on Facebook, Twitter and LinkedIn to read through more exclusive content we article.
Some parts of this posting are sourced from: