Apple releases fixes for three WebKit zero-days, additional patches for a fourth

Apple has released today security updates for multiple products to patch three zero-days and roll out additional patches for a fourth that the company said they might have been exploited in the wild.

All four zero-days impact WebKit—the web page rendering engine at the heart of the company's Safari web browser.

While Safari is available only for iOS and macOS, the WebKit engine is available as a built-in component on most of the company's products, including iPadOS, tvOS, and watchOS, where it is used to display web content inside a no-UI borderless window, without having to load a full browser app.

Today, Apple released macOS Big Sur 11.3.1, iOS 12.5.3, iOS 14.5.1, iPadOS 14.5.1, and watchOS 7.4.1 to patch three suspected WebKit zero-days, tracked as CVE-2021-30663, CVE-2021-30665, and CVE-2021-30666.

In addition, the iOS 12.5.3 update also includes a fix for CVE-2021-30661, a fourth suspected WebKit zero-day that Apple first patched last Monday in iOS, iPadOS, watchOS, and tvOS.

Typical to its regular security policy, Apple has not shared details about the potential attacks. All four WebKit bugs have the same description:

Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Apple credited Qihoo 360 ATA researcher @dnpushme with discovering all four bugs.

To Be Continue... https://t.co/5XOz0he35F

— b0ring (@dnpushme) April 27, 2021

In 2020, the same Qihoo 360 ATA team and the same researcher also found similar Firefox and Internet Explorer zero-days abused in the wild by a threat actor known as Dark Hotel.

The four fixes also come after Apple patched another WebKit zero-day—this one discovered by Google— on March 26.