Actively exploited loopholes: Apple patches iOS, macOS and watchOS

On Tuesday night, Apple published an out-of-order update for its main operating systems. Its main purpose is to plug two apparently already actively exploited holes in WebKit, Apple’s browser engine for Safari.

Updates are available on iOS and iPadOS 14.5.1, macOS 11.3.1 as watchOS 7.4.1. Older iPhones, iPads, and iPod touch devices will be with iOS 12.5.3 patched.

In Big Sur 11.3.1 and iOS or iPadOS 14.5.1, CVE IDs 2021-30665 and CVE-2021-30663 have been addressed. This is a memory error and an integer overflow, both of which could be used to execute arbitrary code via manipulated web content. watchOS 7.4.1 only takes care of CVE-ID 2021-30665 (memory error in WebKit), the other bugs are apparently not relevant on the computer clock.

More from Mac & i

More from Mac & i

It remains unclear what is wrong with previous versions of Safari on the Mac. Apple has not yet provided a single patch for the browser under Mojave (macOS 10.14) or Catalina (macOS 10.15); the hope remains that the gaps that have been fixed in Big Sur are either missing or that the updates will be delivered quickly.

Apple emphasizes that the company has a report according to which the bugs are already being actively exploited via an exploit. This is why it is “important” to import the updates. Unfortunately, Apple does not provide any further details – i.e. who is trying to attack whom and how widespread the exploit is.

iPadOS 14.5.1 and iOS 14.5.1 also fix another problem. Apple’s long-announced app tracking transparency function (ATT), which was activated with iOS or iPadOS 14.5, did not work properly. Apple is aware of this: users who had already forbidden all apps to track in previous operating systems via the system settings no longer received requests for consent, even if they basically allowed tracking again. The Mac & i editors also noticed this with their own devices.


To home page