Apple patched 2 bugs impacting its Safari browser WebKit engine that it outlined are actively being exploited.
Apple issued 2 out-of-band security fixes for its Safari web browser, fixing zero-day vulnerabilities that “may have been actively exploited,” according to a Mon. security bulletin by the company. The bugs affect 6th-generation Apple iPhones, iPads & iPod touch model hardware, released 2013-2018.
Technical Details
“Apple is aware of a report that this issue may have been actively exploited,” the company wrote. Technical details of the 2 bugs, Apple said, will not be released, “until an investigation has occurred & patches or releases are available.”
Both bugs are tied to Apple’s Safari browser & the underlying iOS code, called WebKit, which is responsible for rendering web pages. Apple is crediting the discovery of both bugs (CVE-2021-30761 & CVE-2021-30762) to an anonymous researcher.
The patch, iOS 12.5.4, is available for download.
Memory Corruption Bug: CVE-2021-30761
One of the bugs patched by Apple deals with a “memory corruption issue” & improves the Apple WebKit state management.
“State management refers to the management of the state of 1 or more user interface controls such as text fields, OK buttons, radio buttons, etc. in a graphical user interface,” states a technical description of the term.
Says Apple, the patch for the bug, logged as CVE-2012-30761, addresses a bug found in iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini-2, iPad mini-3, & iPod touch (6th generation). This range of hardware was released 2013-2018.
Use After Free Flaw: CVE-2021-30762
The 2nd flaw was identified as a use-after-free bug, which is a type of memory corruption vulnerability. The bug, tracked as CVE-20121-30762, allows an attacker to execute code on targeted devices. Explains Apple, adversaries may be exploiting this flaw on unpatched devices.
In its advisory Apple wrote: “Impact: Processed maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.”
Apple added that the “use-after-free issue was addressed with improved memory management.”
Vulnerability
“A use-after-free is a vulnerability related to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program,” according to a Kaspersky description of this type of bug.
The iOS patch, distributed as an iOS 12.5.4 update, is for the same model hardware as above: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini-2, iPad mini-3, & iPod touch (6th generation).
Apple is not releasing any further details relating to these vulnerabilities.
https://www.cybernewsgroup.co.uk/virtual-conference-june-2021/