Apple has rushed out fixes to two major vulnerabilities in iOS and iPadOS 14.5, last month’s update that implemented its App Tracking Transparency feature. Both bugs could have allowed malicious parties to remotely execute code, possibly leading to the takeover of an affected device. That means you need to update your devices as soon as possible.
According to Ars Technica, the 14.5.1 update on Monday mends two zero-day vulnerabilities (possibly already exploited in the wild) in Webkit, a rendering software that controls how web content is rendered in apps like Safari, the App Store, and others. Apple tagged the bugs as CVE-2021-30663 and CVE-2021-30665 in update notes; as Ars Technica explains, both issues were also noticed and patched in MacOS 11.3.1, released on Monday.
Both have an identical impact listed and note that Apple is aware that they had possibly been used in cyberattacks:
Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Apple addressed one of the two vulnerabilities, a “memory corruption issue,” “with improved state management,” after being flagged by researchers with Chinese firm Qihoo 360. In the other vulnerability, reported to Apple by an anonymous engineer, “An integer overflow was addressed with improved input validation.”
According to ThreatPost, Apple also fixed another issue (CVE-2021-30666) in the iOS 12.5.3 update for older devices that could have similarly led to “arbitrary code execution.” Google’s Project Zero, which keeps a running tally of major zero-day vulnerabilities, is up to 21 so far this year, seven of which affected Apple products — all but one of them having to do with Webkit. Microsoft also stands at eight zero-day vulnerabilities, while Google is up to five, and Adobe had one.
A separate element in 14.5.1 fixed a bug with the previously released App Tracking Transparency feature, which gives users greater control over which apps have access to which data and is the subject of an ongoing spat with Facebook. According to Ars Technica, a separate bug where the toggle button for the feature remains improperly greyed out in the Settings menu doesn’t appear to have been fixed yet.
“This update fixes an issue with App Tracking Transparency where some users who previously disabled Allow Apps to Request to Track in Settings may not receive prompts from apps after re-enabling it,” Apple wrote. “This update also provides important security updates and is recommended for all users.”