Apple has released security updates to fix two actively exploited iOS zero-day vulnerabilities in the Webkit engine used by hackers to attack iPhones, iPads, iPods, macOS, and Apple Watch devices.
Apple issued multiple security advisories according to which the company is aware of a report that this issue may have been actively exploited.
Webkit is Apple’s browser rendering engine that is used by all mobile web browsers in iOS and other applications that render HTML, such as Apple Mail and the App Store.
These vulnerabilities are tracked as CVE-2021-30665 and CVE-2021-30663, and both allow arbitrary remote code execution (RCE) on vulnerable devices simply by visiting a malicious website.
RCE vulnerabilities allow attackers to target vulnerable devices and execute commands on them remotely.
CVE-2021-30665 was discovered by Yang Kang, zerokeeper, and Bian Liang of Qihoo 360 ATA, while CVE-2021-30663 was reported to Apple by an anonymous researcher.
The list of affected devices includes:
- iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
- macOS Big Sur
- Apple Watch Series 3 and later
The zero-days were addressed by Apple in the iOS 14.5.1, iOS 12.5.3, macOS Big Sur 11.3.1, and the watchOS 7.4.1 updates.
This update also fixes an issue with App Tracking Transparency where some users who previously disabled Allow Apps to Request to Track in Settings may not receive prompts from apps after re-enabling it.