The weaknesses impact WebKit, the browser engine which is used by Safari as well as other third-party web browsers in iOS, enabling an attacker to apply arbitrary code on target devices. The three security bugs have been summarised below:
- CVE-2021-30663: An integer overflow vulnerability that can be taken advantage of to create malicious web content, which results in code execution. The flaw was corrected with enhanced input validation.
- CVE-2021-30665: A memory corruption issue that can be manipulated to create malicious web content, which may result in code execution. The flaw was taken care of by enhancing the state management.
- CVE-2021-30666: A buffer overflow vulnerability that could be manipulated to generate malicious web content, which may result in code execution. The flaw was handled with enhanced memory handling.
These developments came after the release of the new iOS 14.5 update and macOS Big Sur 11.3 along with a fix for a likely exploited WebKit Storage vulnerability. Tracked as CVE-2021-30661, the use-after-free issue was identified and reported to the company by a security researcher.
The thing to note here is that CVE-2021-30666 only impacts older Apple devices like iPhone 5s, iPhone 6, iPhone 6 Plus, etc. The iOS 12.5.3 update, which addresses this flaw, also comes with a fix for CVE-2021-30661.
Apple has also rolled out a new version of Safari 14.1 for macOS Catalina and macOS Mojave, these updates come with fixes for the two WebKit flaws CVE-2021-30663 as well as CVE-2021-30665.