Apple has released a new update to patch two zero-day vulnerabilities in iOS, which if exploited could allow hackers to execute malicious code, even on fully up-to-date devices.
The update comes a week after Apple rolled out the major 14.5 update to its iOS and iPadOS platforms.
Apple notes that both vulnerabilities originated in the Webkit browser engine that powers not just the Safari web browser, but also Mail and the App Store on iOS devices.
- Protect your devices with these best antivirus software
- Here's our choice of the best malware removal software on the market
- We’ve also rounded up the best ransomware protection tools
Tracked as CVE-2021-30663 and CVE-2021-30665, both of the zero-day vulnerabilities have now been patched. However, in its security notes, Apple says it is aware of a report that these issues may have been actively exploited in the wild.
Going after Apple
The two patched flaws follow another code-execution flaw Apple fixed last week, which also existed in the iOS Webkit and may have been actively exploited as well.
In its security notes, Apple says that the newly patched vulnerabilities could be weaponized by processing maliciously crafted web content, which would have led to arbitrary code execution.
The iPhone maker acknowledges that one of the vulnerabilities was discovered by security researchers from Chinese security firm Qihoo 360. It credits the discovery of the other vulnerability to an anonymous researcher.
Interestingly, based on figures published by Google’s Project Zero, Ars Technica, deduces that the three recently patched iOS vulnerabilities bring the number of actively exploited zero-day vulnerabilities in iOS to seven.
It extrapolates this to suggest that this makes iOS the second most targeted software by zero-day vulnerabilities in 2021, behind Chrome, which leads the pack with eight zero-days.
- Here's our list of the best business smartphones available
Via Ars Technica
