A week after Apple issued its biggest iOS and iPadOS update since last September’s release of version 14.0, the company has released a new update to patch two zero-days that allowed attackers to execute malicious code on fully up-to-date devices. Monday’s release of version 14.5.1 also fixes problems with a bug in the newly released App Tracking Transparency feature rolled out in the previous version.
Both vulnerabilities reside in Webkit, a browser engine that renders Web content in Safari, Mail, App Store, and other select apps running on iOS, macOS, and Linux. CVE-2021-30663 and CVE-2021-30665, as the zero-days are tracked, have now been patched. Last week, Apple fixed CVE-2021-30661, another code-execution flaw in iOS Webkit, that also might have been actively exploited.
“Processing maliciously crafted web content may lead to arbitrary code execution,” Apple said in its security notes, referring to the flaws. “Apple is aware of a report that this issue may have been actively exploited.” MacOS 11.3.1, which Apple also released on Monday, also fixed CVE-2021-30663 and CVE-2021-30665.
CVE-2021-30665 was discovered by researchers from China-based security firm Qihoo 360. The other vulnerability was discovered by an anonymous source. Apple provided no details about who is using the exploits or who is being targeted by them.
Coveted by black hats, feared by defenders
According to figures from Google’s Project Zero vulnerability research team, the three recently patched iOS vulnerabilities bring the number of zero-days actively exploited against iOS users to seven. With a total of 22 zero-days found so far in 2021, those exploiting the Apple mobile OS make up almost 33 percent of them. That makes iOS the second most targeted software by zero-days this year, behind Chrome, which has had eight zero-days.
Zero-days are highly coveted by black hats and feared by defenders because they are unknown to the developers of the vulnerable software and the public at large. That means the people who discover the security flaws can use them to hack devices that are fully up to date, often with little or no detection.
Separately, 14.5.1 fixes a bug that kept some users from seeing App Tracking Transparency prompts.
“This update fixes an issue with App Tracking Transparency where some users who previously disabled Allow Apps to Request to Track in Settings may not receive prompts from apps after re-enabling it,” the update description said. “This update also provides important security updates and is recommended for all users.”
Apple rolled out App Tracking Transparency in last week’s release of iOS 14.5. The addition has roiled Facebook because it prevents the company’s app from tracking user activity across other apps users have installed without explicit permission. A second bug can cause the App Tracking Transparency toggle in the settings menu to be grayed out. There are numerous reports that the toggle remains grayed out for many users even after updating to iOS 14.5.1. Apple representatives didn’t immediately respond to a request for comment.