IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Apple patches exploited iOS and macOS WebKit flaws

iPhone, iPad, Apple Watch users may have been subject to arbitrary code execution

Apple has released security updates addressing zero-day vulnerabilities in its WebKit browser engine, which is primarily used in Safari and any other web browsers available on iOS, as well as Apple Mail and the App Store.

The two vulnerabilities, known as CVE-2021-30665 and CVE-2021-30663, allowed hackers to execute arbitrary remote code execution (RCE) on any device that had visited a malicious website.

CVE-2021-30665 had been reported by Beijing-based security researcher Yang Kang and Bian Liang, who is reportedly a researcher for antivirus provider Qihoo 360 ATA. The researcher who had discovered CVE-2021-30663 opted to remain anonymous.

Devices that may have been exploited by the two bugs include iPhone 6s and later, all models of iPad Pro, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, the 7th generation iPod touch, as well as the Apple Watch Series 3 and later.

The security updates iOS 14.5.1 and iPadOS 14.5.1 were released on Monday to remedy the issues, which Apple described as “a memory corruption issue” and “an integer overflow”, which were “addressed with improved state management”.

The latest security update is also a fix for issues with Apple’s new App Tracking Transparency (ATT), which was released with iOS 14.5.

Related Resource

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

cost of a data breach report 2020 - whitepaper from IBMDownload now

"This update fixes an issue with App Tracking Transparency where some users who previously disabled Allow Apps to Request to Track in Settings may not receive prompts from apps after re-enabling it," Apple stated in its iOS 14.5.1 release notes.

Apple also released an update for macOS Big Sur, labelled 11.3.1.

All three security updates were described as remedies to CVE-2021-30663 and CVE-2021-30665, with the tech giant stating that it “is aware of a report that this issue may have been actively exploited”.

However, the scope of the issue, as well as the number of affected users was not made publicly available. IT Pro has contacted Apple for comment and will update this story when more information becomes available.

The new security updates come just days after iOS 14.5, released on 27 April, which removed default data tracking and made it a requirement for app developers to present users with a pop-up notification asking them to consent to be tracked.

In the months coming up to the release of iOS 14.5, Facebook publicly campaigned against this decision, arguing that it would severely harm the revenues of its advertising partners, many of which are smaller companies.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Apple "completely redesigns" IT certifications, introduces two new exams
Careers & training

Apple "completely redesigns" IT certifications, introduces two new exams

19 May 2022
Apple executive rejoins Google over remote work policy
flexible working

Apple executive rejoins Google over remote work policy

18 May 2022
The Total Economic Impact™ of Apple Mac in Enterprise: M1 update
Whitepaper

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update

12 May 2022
Three lessons the iPod can teach us about disruption
Technology

Three lessons the iPod can teach us about disruption

11 May 2022

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Preparing for the 3G sunset
Network & Internet

Preparing for the 3G sunset

18 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022