Apple rolled out fixes for iOS, iPadOS, macOS, and watchOS to address three zero-day flaws and released additional patches for a fourth bug that the iPhone maker said may have been exploited in the wild.
The vulnerabilities affect WebKit, the web browser engine that powers Apple’s Safari browser and is a built-in component in multiple company’s products. The four flaws are described as follows:
CVE-2021-30666 - the vulnerability exists due to a boundary error in WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system
CVE-2021-30665 - the issue exists due to a boundary error in WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
CVE-2021-30663 - the vulnerability exists due to integer overflow in WebKit. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger integer overflow and execute arbitrary code on the target system.
CVE-2021-30661 - the vulnerability exists due to a use-after-free error when processing web content within the WebKit Storage component. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the system.
The company said it is aware of reports that these flaws “may have been actively exploited”, but did not provide further information on the nature of the attacks, who the targets were, or who might have been behind the attacks.