Apple issues patches for two more WebKit zero-days

Apple released patches for two zero-day vulnerabilities involving its WebKit browser engine as part of its iOS 12.5.3 update Monday.

According to Apple, there are reports that the two vulnerabilities "may have been actively exploited." The scope of the threat activity is unclear; Apple did not provide details regarding how these bugs are being exploited or the scale of the exploitation.

We contacted Apple for more detail about the zero-days, but the Cupertino, Calif., company declined to comment.

The two vulnerabilities, CVE-2021-30761 and CVE-2021-30762, bring the number of WebKit-related zero-days disclosed and patched by Apple this year to nine. Last month, Apple issued emergency patches for other zero-day flaws in WebKit.

According to Monday's security update, CVE-2021-30761 is a memory corruption issue capable of arbitrary code execution when the user processes "maliciously crafted web content," and CVE-2021-30762 is a "use after free issue" also triggered through malicious web content and also capable of arbitrary code execution. Both vulnerabilities were discovered by anonymous researchers.

The vulnerabilities impact older iOS devices according to the advisory, including iPhones 5s, 6, 6 Plus; iPads Air, mini 2, mini 3; and the 6th generation iPod touch.

A third vulnerability centered around Apple's ASN.1 decoder was fixed in the 12.5.3 update. Like CVE-2021-30761, CVE-2021-30737 is a memory corruption issue caused by the user "processing a maliciously crafted certificate" and is capable of arbitrary code execution. It was found by a security researcher known as "xerub."

The U.S. Cybersecurity and Infrastructure Security Agency released an advisory Tuesday about the Apple zero-days and patches, encouraging users and administrators to review the Apple security update and apply the necessary updates.

Alexander Culafi is a writer, journalist and podcaster based in Boston.