Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Apple: WebKit Bugs Exploited to Hack Older iPhones
securityweek.com ^ | 6/15/2021 | Ryan Naraine

Posted on 06/15/2021 8:53:40 PM PDT by bitt

Apple late Monday shipped an out-of-band iOS update for older iPhones and iPads alongside a warning that a pair of WebKit security vulnerabilities may have been actively exploited.

As is customary, Apple did not provide details on the zero-day attacks, which appear to be aimed at a range of older models of Apple flagship iPhone devices.

The latest iOS 12.5.4 patch covers at least three documented security holes that expose unpatched devices to arbitrary code execution attacks.

According to Apple, two flaws in the WebKit rendering engine could be exploited via booby-trapped web content to execute code on devices running iOS 12.

[ SEE: Apple Adds 'BlastDoor' to Secure iPhones ]

The two WebKit bugs (CVE-2021-30761 and CVE-2021-30762) are memory corruption and use-after-free issues that Apple says were fixed with improved state management.

“Apple is aware of a report that this issue may have been actively exploited,” the company said. No other details on the nature of the attacks, victim data or IOCs were provided.

The iOS 12.5.4 also fixes a memory corruption issue in the ASN.1 decoder that could expose older iPhone to code execution attacks.

Related: iOS Exploit Allows 'Unfettered Access' to iPhone User Data Over Wi-Fi

Related: Google Researchers Detail Critical iMessage Vulnerability

Related: Apple Ships Emergency Fixes for Under-Attack iOS Zero-Day


TOPICS:
KEYWORDS: apple; iphones; webkitbugs

1 posted on 06/15/2021 8:53:40 PM PDT by bitt
[ Post Reply | Private Reply | View Replies]

To: dayglored; ShadowAce; Whenifhow; null and void; aragorn; EnigmaticAnomaly; kalee; Kale; ...

P


2 posted on 06/15/2021 8:54:25 PM PDT by bitt ( A murderer is less to fear. The traitor is the plague.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: bitt

You pay a bit more, but Apple keeps its equipment supported far longer than any Android phone ever is.


3 posted on 06/15/2021 9:05:06 PM PDT by ConservativeMind (Trump: Befuddling Democrats, Republicans, and the Media for the benefit of the US and all mankind.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: bitt; ~Kim4VRWC's~; 1234; 5thGenTexan; AbolishCSEU; Abundy; Action-America; acoulterfan; ...
This is again a mere "vulnerability" being touted as an "exploit" without evidence such an exploit has been demonstrated in the wild, announced by Apple after the security updates have been pushed out to users of older iPhones for updating. The real risk here is that it also impact ALL users of older versionWebKit, a public domain kit of communications protocols developed and owned by Apple, which is used by almost all versions of Unix™, Linux, Android, their browsers and many Microsoft browsers as well as part of their standards. The vulnerability has been closed by Apple in Webkit’s latest releases but if your Android, Linux, Unix™, browser latest release is not updated, it may have one of the older version, and if your provider doesn’t provide upgrades, then you may have a problem with hackers taking advantage of that now known vulnerability and have to rely on anti-malware apps to detect any attempts to exploit it through websites or malicious emails. —PING!


APPLE WebKit Vulnerability In Older OS Distributions,
Impacts, Android, Linux, UNIX™, and Any Browser
Utilizing Open Source WebKit
PING!

If you want on or off the Apple/Mac/iOS Ping List, Freepmail me.

4 posted on 06/16/2021 12:23:50 AM PDT by Swordmaker (My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you hoplophobe bigot!)
[ Post Reply | Private Reply | To 1 | View Replies]


As of April 6, 2021, over 90% of iPhone and iPad
users had already upgraded to iOS 14 or higher,
another ~5% were still on iOS 13, neither of which
are at risk from this vulnerability, and only 4.48%
were hardcore non-upgraders still operating iOS 12
or lower on their devices.

Apple has pushed out security updates to all users of iOS Safari 12, apparently where a major update to WebKit was introduced, along with the vulnerability, which was apparently fixed in a later revised version, as later versions of iOS are not vulnerable to this.

So the question remains, what version of WebKit is in various versions of Android, Linux, UNIX™, and those browsers? I’d suggest getting the latest updates to be certain you don’t have an old distribution from 2017-2018…

5 posted on 06/16/2021 1:01:32 AM PDT by Swordmaker (My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you hoplophobe bigot!)
[ Post Reply | Private Reply | To 4 | View Replies]

To: ConservativeMind

That is why this family will never go back to Android.


6 posted on 06/16/2021 4:00:31 AM PDT by Shady (Prince Andrew must be dethroned...And who killed Ashli Babbitt? )
[ Post Reply | Private Reply | To 3 | View Replies]

To: bitt

Both MS and Apple are a pita for webdevs. It triples the code due to having to cater to them and their proprietary ways. Neither will conform to Web Standards.


7 posted on 06/16/2021 5:48:19 AM PDT by Pollard
[ Post Reply | Private Reply | To 1 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson