Apple issued two out-of-band security fixes for its Safari web browser, fixing zero-day vulnerabilities that, ‘may have been actively exploited’. The bugs affect sixth-generation Apple iPhones, iPads and iPod Touch model hardware, released between 2013 and 2018. Businesses using these devices must update them as soon as possible to avoid any further issues.
An Apple spokesperson said: “Apple is aware of a report that this issue may have been actively exploited.” They added information of the vulnerabilities will not be released until patches or releases are made available following an investigation. The bugs are tied to Apple’s Safari browser and the underlying iOS code, called WebKit, which is responsible for rendering web pages. The patch, iOS 12.5.4, is available for download now.
One of the bugs is a memory corruption bug (CVE-2021-30761) patched by Apple to address a “memory corruption issue” and improves the Apple WebKit state management. This refers to the management of the state of one or more user interface controls such as text fields, OK buttons, radio buttons, etc. in a graphical user interface.
According to Apple, the patch for the bug addresses a bug found in iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).
The second flaw was identified as a use-after-free bug (CVE-2021-30762), which is a type of memory corruption vulnerability. The bug allows an attacker to execute code on targeted devices and according to Apple, adversaries may be exploiting this flaw on unpatched devices. A use-after-free is a vulnerability related to incorrect use of dynamic memory during program operation and, if after freeing a memory location, a programme does not clear the pointer to that memory, an attacker can use the error to hack the program.
The iOS patch, distributed as a iOS 12.5.4 update, is for the same model hardware as above.
Neuways advises affected Apple users to ensure they install the patches as soon as possible to avoid any related issues. Failure to do so could result in their credentials and device information being compromised. The same should be reiterated for patches and updates distributed to any of your software or hardware in use. These updates provide up-to-date security fixes and are the key to keeping your business cyber-safe.