Apple issues security patches addressing 2 zero-day vulnerabilities

Apple has issued urgent security patches to address two zero-day flaws in iOS 12.5.3 that were exploited in the wild. The iOS 12.5.4 update comes with three major security fixes that include two flaws around the Webkit browser engine and a memory corruption issue in ASN.1 decoder.

It includes:

  • Memory corruption issue is to exploit arbitrary code execution crafting web content addressing state management.
  • Use-after-free issue is to exploit the arbitrary code execution crafting web content addressing state management.

Both the issues are reported anonymously that might be actively exploited. However, the specifications are not yet out about the attacks, threat actors that might be abusing the issues, or the victims that are targeted.

The major attempts were against the owner of old devices that includes iPhone 6, iPhone 5s, iPhone 6 Plus, iPad mini 3, iPad mini 2, iPad Air, and iPad touch (6th generation). The update is similar to the one that was out on May 3 for the buffer overflow vulnerability.

Apart from this, 12 zero-day patches were rolled out by Apple by iPadOS, iOS, tvOS, macOS, and watchOS. This includes:

  • CVE-2021-1782 (Kernel) – A malicious application may be able to elevate privileges
  • CVE-2021-30661 (WebKit Storage) – Processing maliciously crafted web content may lead to arbitrary code execution
  • CVE-2021-1870 and CVE-2021-1871 (WebKit) – A remote attacker may be able to cause arbitrary code execution
  • CVE-2021-30657 (System Preferences) – A malicious application may bypass Gatekeeper checks
  • CVE-2021-1879 (WebKit) – Processing maliciously crafted web content may lead to universal cross-site scripting
  • CVE-2021-30713 (TCC framework) – A malicious application may be able to bypass Privacy preferences
  • CVE-2021-30663, CVE-2021-30665, CVE-2021-30666 and (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution