Apple: WebKit Bugs Exploited to Hack Older iPhones

securityweek.com ^ | 6/15/2021 | Ryan Naraine

[bitt]

Apple late Monday shipped an out-of-band iOS update for older iPhones and iPads alongside a warning that a pair of WebKit security vulnerabilities may have been actively exploited.

As is customary, Apple did not provide details on the zero-day attacks, which appear to be aimed at a range of older models of Apple flagship iPhone devices.

The latest iOS 12.5.4 patch covers at least three documented security holes that expose unpatched devices to arbitrary code execution attacks.

According to Apple, two flaws in the WebKit rendering engine could be exploited via booby-trapped web content to execute code on devices running iOS 12.

[ SEE: Apple Adds 'BlastDoor' to Secure iPhones ]

The two WebKit bugs (CVE-2021-30761 and CVE-2021-30762) are memory corruption and use-after-free issues that Apple says were fixed with improved state management.

“Apple is aware of a report that this issue may have been actively exploited,” the company said. No other details on the nature of the attacks, victim data or IOCs were provided.

The iOS 12.5.4 also fixes a memory corruption issue in the ASN.1 decoder that could expose older iPhone to code execution attacks.

Related: iOS Exploit Allows 'Unfettered Access' to iPhone User Data Over Wi-Fi

Related: Google Researchers Detail Critical iMessage Vulnerability

Related: Apple Ships Emergency Fixes for Under-Attack iOS Zero-Day

[bitt]

P

[ConservativeMind]

You pay a bit more, but Apple keeps its equipment supported far longer than any Android phone ever is.

[Swordmaker]

This is again a mere "vulnerability" being touted as an "exploit" without evidence such an exploit has been demonstrated in the wild, announced by Apple after the security updates have been pushed out to users of older iPhones for updating. The real risk here is that it also impact ALL users of older versionWebKit, a public domain kit of communications protocols developed and owned by Apple, which is used by almost all versions of Unix™, Linux, Android, their browsers and many Microsoft browsers as well as part of their standards. The vulnerability has been closed by Apple in Webkit’s latest releases but if your Android, Linux, Unix™, browser latest release is not updated, it may have one of the older version, and if your provider doesn’t provide upgrades, then you may have a problem with hackers taking advantage of that now known vulnerability and have to rely on anti-malware apps to detect any attempts to exploit it through websites or malicious emails. —PING!

APPLE WebKit Vulnerability In Older OS Distributions,
Impacts, Android, Linux, UNIX™, and Any Browser
Utilizing Open Source WebKit
PING!

If you want on or off the Apple/Mac/iOS Ping List, Freepmail me.

[Swordmaker]

As of April 6, 2021, over 90% of iPhone and iPad
users had already upgraded to iOS 14 or higher,
another ~5% were still on iOS 13, neither of which
are at risk from this vulnerability, and only 4.48%
were hardcore non-upgraders still operating iOS 12
or lower on their devices.

Apple has pushed out security updates to all users of iOS Safari 12, apparently where a major update to WebKit was introduced, along with the vulnerability, which was apparently fixed in a later revised version, as later versions of iOS are not vulnerable to this.

So the question remains, what version of WebKit is in various versions of Android, Linux, UNIX™, and those browsers? I’d suggest getting the latest updates to be certain you don’t have an old distribution from 2017-2018…

[Shady]

That is why this family will never go back to Android.

[Pollard]

Both MS and Apple are a pita for webdevs. It triples the code due to having to cater to them and their proprietary ways. Neither will conform to Web Standards.