Apple has released a security update affecting its iOS, iPadOS, macOS, tvOS and watchOS products. The update addressed three zero-day vulnerabilities found in WebKit, a browser engine used by Safari and other third-party web browsers in iOS, that are reported to be exploited in the wild. In addition, another zero-day vulnerability was addressed on an existing Apple system that did not receive the patch that was previously implemented. Successful exploitation could allow attackers to remote code execution (RCE), that could lead to users’ devices being compromised.
______________________________
A. Nature of the Vulnerabilities
Description of the vulnerabilities:
- CVE-2021-30661, a memory corruption issue that could be exploited to craft malicious web content, which may lead to code execution.
- CVE-2021-30663, an integer overflow vulnerability that could be exploited to craft malicious web content, which may lead to code execution
- CVE-2021-30665, a memory corruption issue that could be exploited to craft malicious web content, which may lead to code execution.
- CVE-2021-30666, a buffer overflow vulnerability that could be exploited to craft malicious web content, which may lead to code execution.
______________________________
B. List of Vulnerable Systems
Vulnerable Apple Systems includes:
macOS:
- Big Sur versions prior to 11.3.1
iOS:
- versions prior to 14.5.1
- versions prior to 12.5.3
iPadOS
- versions prior to 14.5.1
watchOS:
- versions prior to 7.4.1
tvOS:
- Apple TV 4K
- Apple TV HD
Affected Apple devices and products per vulnerability are as follows:
Mobile Phone:
- iPhone 5s
- iPhone 6 plus
- iPhone 6
- iPhone 6s and later
Media Devices:
- iPod Touch (6th generation)
- iPod Touch (7th generation)
Tablet:
- iPad Pro (all models)
- iPad Air
- iPad Air 2 and later
- iPad 5th generation and later
- iPad Mini 2
- iPad Mini 3
- iPad Mini 4 and later
Wearables:
- Apple Watch Series 3 and later
______________________________
C. Actions to be Taken
CERT-PH recommends the following actions be taken:
- Immediately test and apply the corresponding patched versions of the affected Apple products from the Apple’s published security advisories.
- https://support.apple.com/en-us/HT212335
- https://support.apple.com/en-us/HT212336
- https://support.apple.com/en-us/HT212339
- https://support.apple.com/en-us/HT212341