Apple patches exploited iOS and macOS WebKit flaws
iPhone, iPad, Apple Watch users may have been subject to arbitrary code execution


Apple has released security updates addressing zero-day vulnerabilities in its WebKit browser engine, which is primarily used in Safari and any other web browsers available on iOS, as well as Apple Mail and the App Store.
The two vulnerabilities, known as CVE-2021-30665 and CVE-2021-30663, allowed hackers to execute arbitrary remote code execution (RCE) on any device that had visited a malicious website.
CVE-2021-30665 had been reported by Beijing-based security researcher Yang Kang and Bian Liang, who is reportedly a researcher for antivirus provider Qihoo 360 ATA. The researcher who had discovered CVE-2021-30663 opted to remain anonymous.
Devices that may have been exploited by the two bugs include iPhone 6s and later, all models of iPad Pro, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, the 7th generation iPod touch, as well as the Apple Watch Series 3 and later.
The security updates iOS 14.5.1 and iPadOS 14.5.1 were released on Monday to remedy the issues, which Apple described as “a memory corruption issue” and “an integer overflow”, which were “addressed with improved state management”.
The latest security update is also a fix for issues with Apple’s new App Tracking Transparency (ATT), which was released with iOS 14.5.
"This update fixes an issue with App Tracking Transparency where some users who previously disabled Allow Apps to Request to Track in Settings may not receive prompts from apps after re-enabling it," Apple stated in its iOS 14.5.1 release notes.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Apple also released an update for macOS Big Sur, labelled 11.3.1.
All three security updates were described as remedies to CVE-2021-30663 and CVE-2021-30665, with the tech giant stating that it “is aware of a report that this issue may have been actively exploited”.
However, the scope of the issue, as well as the number of affected users was not made publicly available. IT Pro has contacted Apple for comment and will update this story when more information becomes available.
The new security updates come just days after iOS 14.5, released on 27 April, which removed default data tracking and made it a requirement for app developers to present users with a pop-up notification asking them to consent to be tracked.
In the months coming up to the release of iOS 14.5, Facebook publicly campaigned against this decision, arguing that it would severely harm the revenues of its advertising partners, many of which are smaller companies.
Having only graduated from City University in 2019, Sabina has already demonstrated her abilities as a keen writer and effective journalist. Currently a content writer for Drapers, Sabina spent a number of years writing for ITPro, specialising in networking and telecommunications, as well as charting the efforts of technology companies to improve their inclusion and diversity strategies, a topic close to her heart.
Sabina has also held a number of editorial roles at Harper's Bazaar, Cube Collective, and HighClouds.
-
Bigger salaries, more burnout: Is the CISO role in crisis?
In-depth CISOs are more stressed than ever before – but why is this and what can be done?
By Kate O'Flaherty Published
-
Cheap cyber crime kits can be bought on the dark web for less than $25
News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
By Emma Woollacott Published
-
Zero Trust myths: Fact or fiction?
Whitepaper What the myths get right and wrong about Zero Trust
By ITPro Published
-
ZTNA vs on-premises VPN
Whitepaper How ZTNA wins the network security game
By ITPro Published
-
A roadmap to Zero Trust with Cloudflare and CrowdStrike
Whitepaper Achieve end-to-end protection across endpoints, networks, and applications
By ITPro Published
-
Windows 10 users locked out of devices by unskippable Microsoft 365 advert
News Entering payment information was the only way for some to enter their own PCs
By Rory Bathgate Published
-
Spanish spyware outfit uncovered, develops exploits for Windows, Chrome, and Firefox
News Google was only able to discover the company after an anonymous submission was made to its Chrome bug reporting programme
By Zach Marzouk Published
-
State-sponsored hackers delay new Microsoft Exchange Server by four years
News Hafnium's devastating zero-day exploit chain in 2021 forced Microsoft to improve the security of current versions instead of releasing the new one on schedule
By Connor Jones Published
-
Chinese hackers exploit Microsoft zero-day as list of vulnerable Office products grows
News Microsoft has published a support guide and temporary workarounds for IT admins to mitigate the threat
By Connor Jones Published
-
Google patches second Chrome browser zero-day of 2022
News Google acted quickly to secure against the type confusion vulnerability that was under active exploitation
By Connor Jones Published