Apple reports 2 iOS 0 days that allow hackers to compromise fully patched devices


Enlarge /. The 2020 iPhone range. Left to right: iPhone 12 Pro Max, iPhone 12 Pro, iPhone 12, iPhone SE, and iPhone 12 Mini.

A week after Apple released its biggest iOS and iPadOS update since it released version 14.0 last September, the company released a new update that can patch two zero-days that attackers can use to completely break down malicious code current devices. The release of version 14.5.1 on Monday also fixes issues with a bug in the newly released app tracking transparency feature introduced in the previous version.

Both vulnerabilities are in Webkit, a browser engine that renders web content in Safari, Mail, App Store, and other select apps on iOS, macOS, and Linux. CVE-2021-30663 and CVE-2021-30665 have now been patched as zero days are being tracked. Last week, Apple fixed CVE-2021-30661, another code execution bug in iOS Webkit that may also have been actively exploited.

“The processing of maliciously designed web content can lead to arbitrary code execution,” said Apple in its security advisories, referring to the shortcomings. “Apple has known that this issue may have been actively exploited.” MacOS 11.3.1, which Apple also released on Monday, also fixed CVE-2021-30663 and CVE-2021-30665.

CVE-2021-30665 was discovered by researchers at the China-based security firm Qihoo 360. The other vulnerability was discovered by an anonymous source. Apple did not disclose details of who was using the exploits or who they were targeting.


Desired by black hats, feared by defenders

According to Google’s Project Zero vulnerability team, the three recently patched iOS vulnerabilities increase the number of zero days actively exploited against iOS users to seven. With a total of 22 zero days in 2021, those who take advantage of the Apple Mobile OS make up almost 33 percent of it. This makes iOS the second most targeted software after Chrome, which had eight zero days, after zero days this year.

Zero-days are coveted by black hats and feared by defenders because they are unknown to the developers of the vulnerable software and the general public. This means that the people who discover vulnerabilities can hack into devices that are fully up to date, often with little or no detection.

Separately, 14.5.1 fixes a bug that is preventing some users from seeing prompts for app tracking transparency.

“This update fixes an issue with the transparency of app tracking where some users who previously allowed apps to track in the settings may not receive prompts from apps after reactivating them,” said the update. Description. “This update also provides critical security updates and is recommended for all users.”

Apple introduced app tracking transparency with iOS 14.5 last week. The addition messed up Facebook by preventing the company’s app from tracking user activity across other apps that users installed without express permission. A second bug can result in the toggling of the app tracking transparency in the settings menu being grayed out. There have been numerous reports that the toggle button remains grayed out for many users even after updating to iOS 14.5.1. Apple representatives didn’t immediately respond to a request for comment.


Steven Gregory