A week after Apple released its biggest iOS and iPadOS update since the release of version 14.0 last September, the company released another update to patch two zero-days that allowed attackers to execute malicious code on full up to date devices. The release of version 14.5.1 on Monday also fixes a bug in the newly released App Tracking Transparency feature that was rolled out in the previous version.
Both vulnerabilities reside in Webkit, a browser engine that renders web content in Safari, Mail, App Store, and other select apps that run on iOS, macOS, and Linux. CVE-2021-30663 and CVE-2021-30665, as the zero-days are tracked, are now patched. Last week, Apple fixed CVE-2021-30661, another code execution flaw in iOS Webkit, which could also have been actively exploited.
“Processing maliciously crafted web content may lead to arbitrary code execution,” Apple said in its security notes, referring to the flaws. “Apple is aware of a report that this issue may have been actively exploited.” MacOS 11.3.1, which Apple also released on Monday, also fixed CVE-2021-30663 and CVE-2021-30665.
CVE-2021-30665 was discovered by researchers at China-based security firm Qihoo 360. The other vulnerability was discovered by an anonymous source. Apple has not given any details about who is using the exploits or who is being targeted.
Coveted by black hats, feared by defenders
According to figures from the Google Project Zero vulnerability research team, the three recently patched iOS vulnerabilities bring the number of zero-days actively exploited against iOS users to seven. With a total of 22 zero-days found so far in 2021, those operating Apple’s mobile operating system make up nearly 33 percent of them. That makes iOS the second most targeted software with zero-days this year, after Chrome, which has had eight zero-days.
Zero-days are highly coveted by black hats and feared by defenders because they are unknown to the developers of the vulnerable software and the general public. That means the people who discover the security flaws can use them to hack into devices that are completely up to date, often with little or no detection.
Separately, 14.5.1 fixes a bug that prevented some users from seeing App Tracking Transparency prompts.
“This update fixes an issue with app tracking transparency where some users who previously disabled Allow Apps to Track in Settings may not receive prompts from apps after re-enabling them,” the update description reads. “This update also provides important security updates and is recommended for all users.”
Apple rolled out App Tracking Transparency in the release of iOS 14.5 last week. The addition has turned Facebook on its head because it prevents the company’s app from tracking user activity in other apps that users have installed without explicit permission. A second bug can cause the app tracking transparency switch in the settings menu to be grayed out. There are numerous reports that the switch remains gray for many users even after updating to iOS 14.5.1. Apple representatives did not immediately respond to a request for comment.