Apple has released updates to its operating systems that close some of the vulnerabilities in WebKit. The zero days may be abused, the manufacturer acknowledges. These are updates for iOS, iPadOS, macOS and watchOS.
Little is known about the leaks. Apple lists some CVE numbers, CVE-2021-30665 and CVE-2021-30663, in the changelog, but no details are available yet. The security researcher named by Apple also mentions a third CVE number, namely CVE-2021-30661 and furthermore promises to bring out more details later.
Apple says one leak is a memory corruption leak, while the other is an integer overflow. Both vulnerabilities are in WebKit, Safari’s rendering engine, and much of the web’s content in apps. The manufacturer recommends that all users update, as there are indications that the vulnerabilities are being actively exploited.
It concerns iOS and iPadOS 14.5.1 for the iPhone 6s, iPad Air 2 and later, but for older iPhones, iPads and the iPod touch, iOS 12.5.3 has also been released with the same fixes. On Macs it’s macOS Big Sur 11.3.1 and on the Watch it’s watchOS 7.4.1.