Apple on Monday (May 3) pushed out emergency patches to macOS, iPadOS, watchOS and two different versions of iOS to fix four flaws in WebKit, the rendering engine that unlies the Safari web browser.
Macs are pushed up to macOS Big Sur 11.3.1. Apple Watch goes up to watchOS 7.4.1. Newer iPhones and iPads get iOS/iPadOS 14.5.1, while older iPhones and iPads (going back to 2013’s iPhone 5s, iPad Air and iPad mini 2) get iOS 12.5.3.
Install these updates when you receive them, because for each flaw, the company states that “Apple is aware of a report that this issue may have been actively exploited.”
In each case, Apple says, “processing maliciously crafted web content may lead to arbitrary code execution.” In plain English, that means web pages could be built to remotely hack your Mac, iPhone, iPad or Apple Watch.
Three of the four flaws — assigned catalog numbers CVE-2021-30661, 30665 and 30666 — were credited to Chinese researchers Yang Kang (aka “@dnpushme”), “zerokeeper” and Bian Liang. Apple gave their affiliation as “360 ATA,” which may be part of the Qihoo 360 group. All three flaws had to do with improper handling of running memory.
The fourth vulnerability, CVE-2021-30663, is credited to “an anonymous researcher.” That flaw is described only as an “integer overflow.”
The iOS 12.5.3 update patches all four of the flaws. The other updates patch only CVE-2021-30663 & 30665, the remaining two flaws presumably having been fixed by previous system updates.
Apple normally doesn’t give much in the way of details about security flaws until well after most users have installed the fixes.
Apple has had a busy couple of weeks in terms of information security. Last week, the company released macOS 11.3 to fix a very serious flaw that, like these reported today, was already being used by hackers. As with the four disclosed today, that means this is a “zero-day flaw” — so called because defending developers have zero days to patch the flaw before it’s exploited in the wild.
Earlier in April, German researchers said that Apple’s AirDrop wireless file-sharing protocol could be abused to leak users’ contact information to anyone nearby. That flaw does not seem to have been fixed with today’s updates.