4 May 2021

Apple releases security updates to fix WebKit zero-day flaws


Apple releases security updates to fix WebKit zero-day flaws

Apple rolled out fixes for iOS, iPadOS, macOS, and watchOS to address three zero-day flaws and released additional patches for a fourth bug that the iPhone maker said may have been exploited in the wild.

The vulnerabilities affect WebKit, the web browser engine that powers Apple’s Safari browser and is a built-in component in multiple company’s products. The four flaws are described as follows:

CVE-2021-30666 - the vulnerability exists due to a boundary error in WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system

CVE-2021-30665 - the issue exists due to a boundary error in WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

CVE-2021-30663 - the vulnerability exists due to integer overflow in WebKit. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger integer overflow and execute arbitrary code on the target system.

CVE-2021-30661 - the vulnerability exists due to a use-after-free error when processing web content within the WebKit Storage component. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the system.

The company said it is aware of reports that these flaws “may have been actively exploited”, but did not provide further information on the nature of the attacks, who the targets were, or who might have been behind the attacks.

Back to the list

Latest Posts

One of the US’ largest pipelines halts operations after a ransomware attack

One of the US’ largest pipelines halts operations after a ransomware attack

The "DarkSide" criminal group is believed to be behind the ransomware attack.
10 May 2021
TunnelSnake cyber-espionage campaign deploys unique rootkit to backdoor Windows systems

TunnelSnake cyber-espionage campaign deploys unique rootkit to backdoor Windows systems

The attacks were highly targeted and delivered to less than 10 victims around the world, including large diplomatic organizations in South-East Asia and Africa.
10 May 2021
A bio research institute got infected with Ryuk ransomware because of pirated software

A bio research institute got infected with Ryuk ransomware because of pirated software

The student who wouldn’t pay for licensed software unwittingly opened a door to the ransomware.
10 May 2021