Apple Releases Patches for Safari Bugs Under Active Attack!

Apple Releases Patches for Safari Bugs Under Active Attack!

Apple patched 2 bugs impacting its Safari browser WebKit engine that it outlined are actively being exploited.

Apple issued 2 out-of-band security fixes for its Safari web browser, fixing zero-day vulnerabilities that “may have been actively exploited,” according to a Mon. security bulletin by the company. The bugs affect 6th-generation Apple iPhones, iPads & iPod touch model hardware, released 2013-2018.

Technical Details

“Apple is aware of a report that this issue may have been actively exploited,” the company wrote. Technical details of the 2 bugs, Apple said, will not be released, “until an investigation has occurred & patches or releases are available.”

Both bugs are tied to Apple’s Safari browser & the underlying iOS code, called WebKit, which is responsible for rendering web pages. Apple is crediting the discovery of both bugs (CVE-2021-30761 & CVE-2021-30762) to an anonymous researcher.

The patch, iOS 12.5.4, is available for download.

Memory Corruption Bug: CVE-2021-30761

One of the bugs patched by Apple deals with a “memory corruption issue” & improves the Apple WebKit state management.

“State management refers to the management of the state of 1 or more user interface controls such as text fields, OK buttons, radio buttons, etc. in a graphical user interface,” states a technical description of the term.

Says Apple, the patch for the bug, logged as CVE-2012-30761, addresses a bug found in iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini-2, iPad mini-3, & iPod touch (6th generation). This range of hardware was released 2013-2018.

Use After Free Flaw: CVE-2021-30762

The 2nd flaw was identified as a use-after-free bug, which is a type of memory corruption vulnerability. The bug, tracked as CVE-20121-30762, allows an attacker to execute code on targeted devices. Explains Apple, adversaries may be exploiting this flaw on unpatched devices.

In its advisory Apple wrote: “Impact: Processed maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.”

Apple added that the “use-after-free issue was addressed with improved memory management.”

Vulnerability

“A use-after-free is a vulnerability related to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program,” according to a Kaspersky description of this type of bug.

The iOS patch, distributed as an iOS 12.5.4 update, is for the same model hardware as above: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini-2, iPad mini-3, & iPod touch (6th generation).

Apple is not releasing any further details relating to these vulnerabilities.

https://www.cybernewsgroup.co.uk/virtual-conference-june-2021/

 

SHARE ARTICLE