Apple fixed 2 WebKit flaws exploited to target older iPhones

Apple released an out-of-band iOS update for older iPhones and iPads and warned that threat actors are actively exploiting two flaws in WebKit.

Apple released an out-of-band iOS update ( iOS 12.5.4 patch) for older iPhones and iPad, the IT giant also warned that some vulnerabilities affecting its WebKit may have been actively exploited.

WebKit is a browser engine developed by Apple and primarily used in its Safari web browser, as well as all iOS web browsers.

Apple did not share details of the attacks that targeted older models of Apple iPhone devices.

The iOS 12.5.4 patch addressed at least three vulnerabilities that could be exploited by threat actors to execute arbitrary code on vulnerable devices.

Two of the addressed issues, tracked CVE-2021-30761 and CVE-2021-30762, are memory corruption and use-after-free issues respectively and reside in the WebKit rendering engine. The two flaws could be exploited by tricking owners of devices running iOS 12 into visiting specially crafted web content.

“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.” reads the security advisory published by Apple.

The iOS 12.5.4 fixes the flaws in iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation). Both issues were reported by an anonymous researcher.

The iOS 12.5.4 also addressed a memory corruption issue in the ASN.1 decoder tracked as CVE-2021-30737. The flaw can be exploited by processing a maliciously crafted certificate to lead to arbitrary code execution.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, iPhones)

[adrotate banner=”5″]

[adrotate banner=”13″]