Apple has released security updates to patch three high-risk vulnerabilities in its iOS operating system, with two of the bugs being zero-day vulnerabilities that the Cupertino-based company says are being exploited in the wild.
The zero-days in question are CVE-2021-30761 and CVE-2021-30762. Both bugs affect the WebKit component in Apple iOS and allow remote code execution.
CVE-2021-30761 is a buffer overflow issue, which exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
CVE-2021-30762 is a use-after-free vulnerability, which exists due to a boundary error when processing HTML content within the WebKit component in Apple iOS. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a use-after-free error and execute arbitrary code on the target system.
In addition, Apple has also patched CVE-2021-30737, which is a buffer overflow bug in ASN.1 decoder. The vulnerability exists due to a boundary error in the ASN.1 decoder when processing TLS certificates. A remote attacker can trick the victim to visit a specially crafted website, trigger memory corruption with a specially crafted TLS certificate and execute arbitrary code on the system.
The iOS 12.5.4 update is intended for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation). All users are advised to update their devices as soon as possible.