Apple patches iOS 12 after hackers exploit WebKit Engine flaws
The emergency patch addresses two bugs abused to launch remote code execution attacks
Apple has released an out-of-band security fix to address two zero-day vulnerabilities in iOS 12.5.3 that hackers are actively exploiting to launch remote code execution attacks.
The two flaws under scrutiny are CVE-2021-30761 and CVE-2021-30762, which both lie in the open source WebKit browser rendering engine used by Apple to power Safari, as well as all iOS web browsers. It’s also used by many other apps across the Apple ecosystem on various devices.
Apple has patched these two flaws with iOS version 12.5.4, alongside a fix for a memory corruption issue in ASN.1 decoder, tracked as CVE-2021-30737. Abstract Syntax Notation One, or ASN.1, is a standard interface language for defining data structures that can be serialised and deserialised in a cross-platform way.
The first of the two WebKit flaws, CVE-2021-30761, is also a memory corruption issue that can be exploited to execute code remotely when processing malicious web content.
The second, CVE-2021-30762, is a use-after-free issue that can also be exploited to launch remote code execution attacks when processing malicious content.
They’ve been fixed with “improved state management” and “improved memory management” respectively.
These two are only the latest flaws to affect Apple’s WebKit browser engine that hackers have exploited since the start of the year. In total, Apple has patched seven WebKit-related flaws since January 2021, across various devices.
RELATED RESOURCE
Security awareness training strategies for account takeover protection
Why you need an inside-the-perimeter strategy for internal threats
WebKit, alongside its use in Safari, is also used in various iOS, macOS, watchOS and Apple TV apps and services.
The latest version of Safari released in April brought with it a host of new WebKit features, APIs, performance improvements and better compatibility for web developers. For example, Safari 14.1 now supports a media encoder as well as date and time inputs on macOS.
Support for the AudioWorklets technology, a web standard that optimises audio processing in the browser, however, brought with it a glaring security issue.
Researchers with Theori reported that a bug in the implementation of this feature made it possible to use technology to get Safari and other WebKit-based browsers to run arbitrary code. Although the WebKit developers fixed the bug, Apple’s Safari developers didn’t bake this into the web browser on iOS or macOS.
-
Oracle leans on one-size-fits-all appeal of OCI for enterprisesOpinion Oracle sees its neutral approach to AI deployment, full-stack scalability, and commitment to sovereign deployment as its USPs in the age of agentic AI
-
Everything you need to know about GitHub's new AI training policyNews Users of certain GitHub Copilot plans will have interaction data used to train AI models, but can opt out
-
Ubuntu vulnerability exposes enterprises to root escalation, complete system compromiseNews The high-severity Ubuntu vulnerability allows an unprivileged local attacker to escalate privileges through the interaction of two standard system components
-
Organizations hit by 90 zero-day vulnerabilities last yearNews Google Threat Intelligence researchers warn that edge devices and security appliances are prime entry points
-
Security agencies issue warning over critical Cisco Catalyst SD-WAN vulnerabilityNews Threat actors have been exploiting the vulnerability to achieve root access since 2023
-
Millions of developers could be impacted by flaws in Visual Studio Code extensions – here's what you need to know and how to protect yourselfNews The VS Code vulnerabilities highlight broader IDE security risks, said OX Security
-
CVEs are set to top 50,000 this year, marking a record high – here’s how CISOs and security teams can prepare for a looming onslaughtNews While the CVE figures might be daunting, they won't all be relevant to your organization
-
Microsoft patches six zero-days targeting Windows, Word, and more – here’s what you need to knowNews Patch Tuesday update targets large number of vulnerabilities already being used by attackers
-
Experts welcome EU-led alternative to MITRE's vulnerability tracking schemeNews The EU-led framework will reduce reliance on US-based MITRE vulnerability reporting database
-
Veeam patches Backup & Replication vulnerabilities, urges users to updateNews The vulnerabilities affect Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds – but not previous versions.
