Apple has fixed two weaknesses in Safari and in the browser's underlying HTML rendering engine WebKit, a further developed spin-off from KHTML and the JavaScript implementation KJS, and updates for iOS and iPadOS as well as macOS and watchOS released.
Updates for iOS, iPadOS, watchOS and macOS
In addition to iOS 14.5.1 and iPadOS 14.5.1, the company released watchOS 7.4.1 and macOS 11.3.1. Common to all new versions is a bug fix for the two previously critical vulnerabilities CVE-2021-30665 and CVE-2021-30663, which will now be closed with the corresponding updates.
Apple recommends installing the updates immediately for security reasons.
iOS and iPadOS 14.5.1 – Release Notes
- Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
- Description: A memory corruption issue was addressed with improved state management.
- CVE-2021-30665: yangkang ( @dnpushme) & amp; zerokeeper & amp; bianliang of 360 ATA
- Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
- Description: An integer overflow was addressed with improved input validation.
- CVE-2021-30663: an anonymous researcher
watchOS 7.4.1 – Release Notes
- Available for: Apple Watch Series 3 and later
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
- Description: A memory corruption issue was addressed with improved state management.
- CVE-2021-30665: yangkang ( @dnpushme) & amp; zerokeeper & amp; bianliang of 360 ATA
macOS 11.3.1 – Release Notes
- Available for: macOS Big Sur
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
- Description: A memory corruption issue was addressed with improved state management.
- CVE-2021-30665: yangkang ( @dnpushme) & amp; zerokeeper & amp; bianliang of 360 ATA
- Available for: macOS Big Sur
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
- Description: An integer overflow was addressed with improved input validation.
- CVE-2021-30663: an anonymous researcher
The vulnerability is due to a boundary error in WebKit. A remote attacker can use a manipulated website to execute any malicious code on the target system of the victim.
The vulnerability has already been actively exploited in the wild and will only be closed with the installation of the corresponding updates. On an iPhone 12, the update to iOS 14.5.1 is around 130 MB in size.
The editorial team thanks community member “Vigilant” for pointing this out.
Update 05.05.2021 09:36 am
Catalina and Mojave also receive an update
In the meantime, Apple has also released a corresponding update for macOS Catalina and Mojave as well as Safari 14.1 and thus closed the two security gaps. Further information is provided in the official release notes.
Safari 14.1 – Release Notes
- Available for: macOS Catalina and macOS Mojave
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
- Description: A memory corruption issue was addressed with improved state management.
- CVE-2021-30665: yangkang ( @dnpushme) & amp; zerokeeper & amp; bianliang of 360 ATA
- Available for: macOS Catalina and macOS Mojave
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
- Description: An integer overflow was addressed with improved input validation.
- CVE-2021-30663: an anonymous researcher
Update 05.05.2021 22:53
iOS 12.5.3 closes security gaps in WebKit
Older devices such as the iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and the 6th generation iPod touch have also received an update with iOS 12.5.3 that addresses the two security holes in WebKit closes.
iOS 12.5.3 – Release Notes
- Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation)
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
- Description: A buffer overflow issue was addressed with improved memory handling.
- CVE-2021-30666: yangkang (@dnpushme) & amp; zerokeeper & amp; bianliang of 360 ATA
- Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation)
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
- Description: A memory corruption issue was addressed with improved state management.
- CVE-2021-30665: yangkang ( @dnpushme) & amp; zerokeeper & amp; bianliang of 360 ATA
- Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation)
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
- Description: An integer overflow was addressed with improved input validation.
- CVE-2021-30663: an anonymous researcher
- Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation)
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
- Description: A use after free issue was addressed with improved memory management.
- CVE-2021-30661: yangkang (@dnpushme) & amp; zerokeeper & amp; bianliang of 360 ATA
For more information, see the official release notes for iOS 12.5.3.
The editorial team thanks community member “iwwazwersch” for pointing out this update.