IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Apple patches iOS 12 after hackers exploit WebKit Engine flaws

The emergency patch addresses two bugs abused to launch remote code execution attacks

Apple has released an out-of-band security fix to address two zero-day vulnerabilities in iOS 12.5.3 that hackers are actively exploiting to launch remote code execution attacks. 

The two flaws under scrutiny are CVE-2021-30761 and CVE-2021-30762, which both lie in the open source WebKit browser rendering engine used by Apple to power Safari, as well as all iOS web browsers. It’s also used by many other apps across the Apple ecosystem on various devices.

Apple has patched these two flaws with iOS version 12.5.4, alongside a fix for a memory corruption issue in ASN.1 decoder, tracked as CVE-2021-30737. Abstract Syntax Notation One, or ASN.1, is a standard interface language for defining data structures that can be serialised and deserialised in a cross-platform way.

The first of the two WebKit flaws, CVE-2021-30761, is also a memory corruption issue that can be exploited to execute code remotely when processing malicious web content. 

The second, CVE-2021-30762, is a use-after-free issue that can also be exploited to launch remote code execution attacks when processing malicious content. 

They’ve been fixed with “improved state management” and “improved memory management” respectively.  

These two are only the latest flaws to affect Apple’s WebKit browser engine that hackers have exploited since the start of the year. In total, Apple has patched seven WebKit-related flaws since January 2021, across various devices. 

Related Resource

Security awareness training strategies for account takeover protection

Why you need an inside-the-perimeter strategy for internal threats

Security awareness training strategies for account takeover protection - whitepaper from MimecastFree download

WebKit, alongside its use in Safari, is also used in various iOS, macOS, watchOS and Apple TV apps and services. 

The latest version of Safari released in April brought with it a host of new WebKit features, APIs, performance improvements and better compatibility for web developers. For example, Safari 14.1 now supports a media encoder as well as date and time inputs on macOS. 

Support for the AudioWorklets technology, a web standard that optimises audio processing in the browser, however, brought with it a glaring security issue

Researchers with Theori reported that a bug in the implementation of this feature made it possible to use technology to get Safari and other WebKit-based browsers to run arbitrary code. Although the WebKit developers fixed the bug, Apple’s Safari developers didn’t bake this into the web browser on iOS or macOS. 

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Apple "completely redesigns" IT certifications, introduces two new exams
Careers & training

Apple "completely redesigns" IT certifications, introduces two new exams

19 May 2022
Apple executive rejoins Google over remote work policy
flexible working

Apple executive rejoins Google over remote work policy

18 May 2022
The Total Economic Impact™ of Apple Mac in Enterprise: M1 update
Whitepaper

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update

12 May 2022
Three lessons the iPod can teach us about disruption
Technology

Three lessons the iPod can teach us about disruption

11 May 2022

Most Popular

Open source packages with millions of installs hacked to harvest AWS credentials
hacking

Open source packages with millions of installs hacked to harvest AWS credentials

24 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022
Microsoft finally adds Power BI integrations to PowerPoint and Outlook
business intelligence (BI)

Microsoft finally adds Power BI integrations to PowerPoint and Outlook

25 May 2022