Apple has released today security updates for multiple products to patch three zero-days and roll out additional patches for a fourth that the company said they might have been exploited in the wild.
All four zero-days impact WebKit—the web page rendering engine at the heart of the company’s Safari web browser.
While Safari is available only for iOS and macOS, the WebKit engine is available as a built-in component on most of the company’s products, including iPadOS, tvOS, and watchOS, where it is used to display web content inside a no-UI borderless window, without having to load a full browser app.
Today, Apple released macOS Big Sur 11.3.1, iOS 12.5.3, iOS 14.5.1, iPadOS 14.5.1, and watchOS 7.4.1 to patch three suspected WebKit zero-days, tracked as CVE-2021-30663, CVE-2021-30665, and CVE-2021-30666.
Typical to its regular security policy, Apple has not shared details about the potential attacks. All four WebKit bugs have the same description:
Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Apple credited Qihoo 360 ATA researcher @dnpushme with discovering all four bugs.
The four fixes also come after Apple patched another WebKit zero-day—this one discovered by Google— on March 26.