Apple patched two bugs impacting its Safari browser WebKit engine that it said are actively being exploited.
Apple issued two out-of-band security fixes for its Safari web browser, fixing zero-day vulnerabilities that “may have been actively exploited,” according to a Monday security bulletin by the company. The bugs affect sixth-generation Apple iPhones, iPads and iPod touch model hardware, released between 2013 and 2018.
“Apple is aware of a report that this issue may have been actively exploited,” the company wrote. Technical details of the two bugs, Apple said, will not be released, “until an investigation has occurred and patches or releases are available.”
Both bugs are tied to Apple’s Safari browser and the underlying iOS code, called WebKit, which is responsible for rendering web pages. Apple is crediting the discovery of both bugs (CVE-2021-30761 and CVE-2021-30762) to an anonymous researcher.
The patch, iOS 12.5.4, is available for download.
Memory Corruption Bug: CVE-2021-30761
One of the bugs patched by Apple addresses a “memory corruption issue” and improves the Apple WebKit state management.
“State management refers to the management of the state of one or more user interface controls such as text fields, OK buttons, radio buttons, etc. in a graphical user interface,” according to a technical description of the term.
According to Apple, the patch for the bug, logged as CVE-2012-30761, addresses a bug found in iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation). This range of hardware was released between 2013 and 2018.
Use After Free Flaw: CVE-2021-30762
The second flaw was identified as a use-after-free bug, which is a type of memory corruption vulnerability. The bug, tracked as CVE-20121-30762, allows an attacker to execute code on targeted devices. According to Apple, adversaries may be exploiting this flaw on unpatched devices.
In its advisory Apple wrote: “Impact: Processed maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.”
Apple added that the “use-after-free issue was addressed with improved memory management.”
“[A] use-after-free is a vulnerability [is] related to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program,” according to a Kaspersky description of this type of bug.
The iOS patch, distributed as a iOS 12.5.4 update, is for the same model hardware as above: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).
Apple is not releasing any additional details pertaining to these vulneraries.