Apple patches two iOS zero-days in old-gen devices
Apple has released today security updates to address two zero-day vulnerabilities that were exploited in the wild to hack older generation iPhones and iPads.
Both vulnerabilities, tracked as CVE-2021-30761 and CVE-2021-30762, reside in WebKit, the browser engine used by Safari, and the component used by all iOS apps to load web content.
Apple said it received reports from anonymous researchers that threat actors had exploited the two bugs to run malicious code on users' devices when the WebKit engine loaded and processed maliciously crafted web content.
The Cupertino-based company released today iOS 12.5.4 to patch both issues.
The update is intended for old-gen devices such as the iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation), Apple said.
The two zero-days patched today mark the 8th and 9th actively-exploited zero-days patched in Apple products this year. Previous zero-days included:
|CVE-2021-1782||February 1||A zero-day impacting the macOS, iOS, iPadOS, watchOS, and tvOS kernels.|
|CVE-2021-1870||February 1||WebKit zero-day impacting macOS, iOS, iPadOS, and watchOS|
|CVE-2021-1871||February 1||WebKit zero-day impacting macOS, iOS, iPadOS, and watchOS|
|CVE-2021-1879||March 26||WebKit bug impacting both old and new-gen iOS, iPadOS, and watchOS|
|CVE-2021-30657||April 26||macOS Gatekeeper bypass abused by Shlayer malware|
|CVE-2021-30661||April 26||WebKit zero-day impacting old and new-gen iOS, iPadOS, watchOS, and tvOS.|
|CVE-2021-30663||May 3||WebKit zero-day impacting macOS, iOS, iPadOS, and watchOS|
|CVE-2021-30665||May 3||WebKit zero-day impacting macOS, iOS, iPadOS, and watchOS|
|CVE-2021-30666||May 3||WebKit zero-day impacting macOS, iOS, iPadOS, and watchOS|
|CVE-2021-30713||May 24||macOS TCC bypass abused by XCSSET malware|
|CVE-2021-30761||June 14||WebKit zero-day impacting old-gen iOS devices|
|CVE-2021-30762||June 14||WebKit zero-day impacting old-gen iOS devices|
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.