On Tuesday night, Apple published an out-of-order update for its main operating systems. Its main purpose is to plug two apparently already actively exploited holes in WebKit, Apple’s browser engine for Safari.
Five updates for iPhone, iPad, Mac and Watch
In Big Sur 11.3.1 and iOS or iPadOS 14.5.1, CVE IDs 2021-30665 and CVE-2021-30663 have been addressed. This is a memory error and an integer overflow, both of which could be used to execute arbitrary code via manipulated web content. watchOS 7.4.1 only takes care of CVE-ID 2021-30665 (memory error in WebKit), the other bugs are apparently not relevant on the computer clock.
What about older macOS versions?
It remains unclear what is wrong with previous versions of Safari on the Mac. Apple has not yet provided a single patch for the browser under Mojave (macOS 10.14) or Catalina (macOS 10.15); the hope remains that the gaps that have been fixed in Big Sur are either missing or that the updates will be delivered quickly.
Apple emphasizes that the company has a report according to which the bugs are already being actively exploited via an exploit. This is why it is “important” to import the updates. Unfortunately, Apple does not provide any further details – i.e. who is trying to attack whom and how widespread the exploit is.
Fix ATT bug
iPadOS 14.5.1 and iOS 14.5.1 also fix another problem. Apple’s long-announced app tracking transparency function (ATT), which was activated with iOS or iPadOS 14.5, did not work properly. Apple is aware of this: users who had already forbidden all apps to track in previous operating systems via the system settings no longer received requests for consent, even if they basically allowed tracking again. The Mac & i editors also noticed this with their own devices.