On Monday, Apple released a quartet of unscheduled updates for iOS, macOS, and watchOS, slapping security patches on flaws in its WebKit browser engine.

Apple has issued out-of-band patches for critical security issues affecting iPad, iPhone and iPod, which could allow remote code execution (RCE) and other attacks, completely compromising users’ systems. And, the computing giant thinks all of them may have already been exploited in the wild. 

Three of these are zero-day flaws, while one is an expanded patch for a fourth vulnerability. 

Apple keeps details of security problems close to the vest, “for our customers’ protection,” saving the blood and guts until after it investigates and manages to pump out patches or new releases.  

, Apple Fixes Zero‑Day Security Bugs Under Active Attack

Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.

What data it does disclose can be found on its support page. Here’s a summary of the three zero-days: 

Zero-Day Bugs in WebKit

  • CVE-2021-30665: A critical memory-corruption issue in the Safari WebKit engine where “processing maliciously crafted web content may lead to arbitrary code execution” was addressed with improved state management. Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). The bug was reported to Apple by three security researchers, nicknamed yangkang, zerokeeper and bianliang. 

 

  • CVE-2021-30663: This second flaw is also found in the open-source WebKit browser engine. It’s an integer overflow, reported by an anonymous researcher, that can also lead to RCE. It  was addressed with improved input validation. Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). 

 

  • CVE-2021-30666: A buffer-overflow issue was addressed with improved memory handling. Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation)

And here are details on the expanded patch for the fourth bug: 

WebKit Storage

  • CVE-2021-30661: A use after free issue was addressed with improved memory management. Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation). This flaw was discovered and reported to the iPhone maker by the security researcher named yangkang, @dnpushme, of Qihoo 360 ATA.

Apple’s support page shows that this fourth one was actually patched on Monday last week (April 26) in iOS 14.5 and macOS 11.3, but not in iOS 12. 

Naked Security’s Paul Ducklin finds this one particularly interesting, and he noted that questions remain. Why wasn’t iOS 12 updated at the same time as iOS 14.5 and macOS 11.3? Did the security hole crop up in the code base after iOS 12 was released, perhaps? 

No, that’s not it: the CVE-2021-30661 and CVE-2021-30666 bugs fixed on Monday only apply to iOS 12. So it remains unclear if the bug exists in recent operating system versions, or not, Ducklin said.

“Is this an old bug from iOS 12 that was carried forward into the current Apple codebase but has still not yet been patched there?” Ducklin pondered. “Or is it a bug that is unique to the older iOS 12 code that doesn’t appear in the more recent operating system releases and can therefore now be considered to have been eliminated everywhere?”

Threatpost has reached out to Apple for comment.

Patch Fast!

Per usual, Apple’s lip is zipped. But one thing’s for sure: Patching as soon as possible is top priority. As it is, the chance for websites passing along “maliciously crafted web content” is alarming. If you translate Apple’s statement that “processing maliciously crafted web content may lead to arbitrary code execution, “you get a “drive-by, web-based zero-day RCE exploit, according to Ducklin.

In other words, all you have to do to trigger infection is to visit and view a booby-trapped website. 

What is WebKit? The Little Engine That Could

Apple developed the WebKit browser engine to run in its Safari web browser, but it’s also used by Apple Mail, the App Store, and various apps on the macOS and iOS operating systems. This, of course, isn’t the first time that the engine has hit some bumps. 

In January, Apple released an emergency update that patched three iOS bugs. Two of them (CVE-2021-1870 and CVE-2021-1871 ) were discovered in WebKit (and the third, tracked as CVE-2021-1782, was found in the OS kernel).

More recently, in March, Apple patched other severe WebKit RCEs. Similar to Monday’s updates, those WebKit fixes could have allowed remote attackers to completely compromise affected systems.

Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” – a LIVE roundtable event on Wed, May 12 at 2:00 PM EDT. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.