Apple has released iOS 14.5.1 and iPadOS 14.5.1 for iPhone and iPad models to address two zero-day security vulnerabilities in WebKit that permitted attackers to execute malicious code on newly updated devices. Apple also has strongly advised users to update their devices.
The latest security updates arrive only a week after Apple launched compatible devices with iOS 14.5, iPadOS 14.5, macOS Big Sur 11.3, watchOS 7.4, and tvOS 14.5.
The same security bugs existed for Mac computers and Apple Watch models that earned updates to macOS Big Sur 11.3.1 and watchOS 7.4.1, respectively. Apple has also released iOS 12.5.3 for older iPhone and iPad models to address four WebKit-related security problems, including the two zero-day flaws.
According to Apple’s security post, iOS 14.5.1 and iPadOS 14.5.1 have patches for two bugs in the WebKit browser engine, which is used to make Web content in Safari, App Store, Mail, and other applications. CVE-2021-30663 and CVE-2021-30665 are the vulnerabilities.
If CVE-2021-30663 is an integer overflow issue, CVE-2021-30665 is a memory corruption issue. Both flaws allowed attackers to execute malicious code through specially designed Web content.
“This update fixes an issue with App Tracking Transparency where some users who previously disabled Allow Apps to Request to Track in Settings may not receive prompts from apps after re-enabling it,” says Apple.
Apple stated that it was aware of evidence that both security flaws were actively exploited. As a result, users are strongly advised to download and instal the iOS 14.5.1 and iPadOS 14.5.1 updates on their devices. A patch for the App Tracking Transparency prompts is also included in the latest updates.
Apple also released iOS 12.5.3 for older iPhone, iPad, and iPod touch models, including the iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation). It addresses the CVE-2021-30663 and CVE-2021-30665 vulnerabilities, as well as two other zero-day bugs concerning WebKit, CVE-2021-30666 and CVE-2021-30661.