4 May 2021

Apple releases security updates to fix WebKit zero-day flaws


Apple releases security updates to fix WebKit zero-day flaws

Apple rolled out fixes for iOS, iPadOS, macOS, and watchOS to address three zero-day flaws and released additional patches for a fourth bug that the iPhone maker said may have been exploited in the wild.

The vulnerabilities affect WebKit, the web browser engine that powers Apple’s Safari browser and is a built-in component in multiple company’s products. The four flaws are described as follows:

CVE-2021-30666 - the vulnerability exists due to a boundary error in WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system

CVE-2021-30665 - the issue exists due to a boundary error in WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

CVE-2021-30663 - the vulnerability exists due to integer overflow in WebKit. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger integer overflow and execute arbitrary code on the target system.

CVE-2021-30661 - the vulnerability exists due to a use-after-free error when processing web content within the WebKit Storage component. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the system.

The company said it is aware of reports that these flaws “may have been actively exploited”, but did not provide further information on the nature of the attacks, who the targets were, or who might have been behind the attacks.

Back to the list

Latest Posts

ShadowSyndicate ransomware group targeting Aiohttp flaw

ShadowSyndicate ransomware group targeting Aiohttp flaw

Organizations are urged to update to Aiohttp v3.9.
18 March 2024
The International Monetary Fund discloses cyberattack affecting 11 email accounts

The International Monetary Fund discloses cyberattack affecting 11 email accounts

The organization did not share any additional details regarding the nature of the attack.
18 March 2024
E-Root Marketplace operator sentenced to 3.5 years in prison

E-Root Marketplace operator sentenced to 3.5 years in prison

It is estimated that over 350,000 compromised credentials were listed for sale on the E-Root Marketplace.
18 March 2024