To the attention of Apple users – the company recently released out-of-band-security patches addressing two-zero days in iOS 12.5.3. The vulnerabilities may have been exploited in the wild, so patch your devices immediately.
iOS 12.5.4 Fixes Three Bugs: CVE-2021-30737, CVE-2021-30761, CVE-2021-30762
The latest version of iOS 12.5.4 fixes three security vulnerabilities, as per the official advisory:
- A memory corruption issue in the ASN.1 decoder was addressed by removing the vulnerable code, identified as CVE-2021-30737. The fix is available for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch;
- A memory corruption issue in WebKit, addressed with improved state management, identified as CVE-2021-30761, and available for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation);
- Another WebKit issued, described as a use after free bug, addressed with improved memory management and identified as CVE-2021-30762; available for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch.
The two WebKit vulnerabilities could be exploited to achieve remote code execution. The CVE-2021-30761 and CVE-2021-30762 vulnerabilities were reported to Apple anonymously. Apple says it is aware of reports that the flaws may have been actively exploited. There is no information detailing these attacks.
Other Recent Vulnerabilities in iOS
In March 2021, another vulnerability affecting iOS, macOS, watchOS, and Safari browser was detected by security researchers.
Known as CVE-2021-1844, the bug was discovered by two researchers: Clément Lecigne of Google’s Threat Analysis Group and Alison Huffman of Microsoft Browser Vulnerability Research. The bug is triggered by a memory corruption problem that could cause arbitrary code execution while processing specially crafted web content. The issue was fixed with improved validation, Apple said.
In January 2021, Apple addressed three zero-day vulnerabilities in iOS and iPadOS.
CVE-2021-1782, CVE-2021-1870, and CVE-2021-1871 could allow threat actors to perform privilege escalation and remote code execution attacks. The company said that the vulnerabilities were likely exploited in the wild, without specifying the attacks’ extent.