A week after Apple issued its biggest iOS and iPadOS update since last September’s release of version 14.0, the company has released a new update to patch two zero-days that allowed attackers to execute malicious code on fully up-to-date devices. Monday’s release of version 14.5.1 also fixes problems with a bug in the newly released App Tracking Transparency feature rolled out in the previous version.
Both vulnerabilities reside in Webkit, a browser engine that renders Web content in Safari, Mail, App Store, and other select apps running on iOS, macOS, and Linux. CVE-2021-30663 and CVE-2021-30665, as the zero-days are tracked, have now been patched. Last week, Apple fixed CVE-2021-30661, another code-execution flaw in iOS Webkit, that also might have been actively exploited.
“Processing maliciously crafted web content may lead to arbitrary code execution,” Apple said in its security notes, referring to the flaws. “Apple is aware of a report that this issue may have been actively exploited.” MacOS 11.3.1, which Apple also released on Monday, also fixed CVE-2021-30663 and CVE-2021-30665.