Apple has issued out-of-band patches for critical security issues affecting iPad, iPhone and iPod, which could allow remote code execution (RCE) and other attacks, completely compromising users’ systems. And, the computing giant thinks all of them may have already been exploited in the wild.
Three of these are zero-day flaws, while one is an expanded patch for a fourth vulnerability.
Apple keeps details of security problems close to the vest, “for our customers’ protection,” saving the blood and guts until after it investigates and manages to pump out patches or new releases.
What data it does disclose can be found on its support page. Here’s a summary of the three zero-days:
Zero-Day Bugs in WebKit
- CVE-2021-30665: A critical memory-corruption issue in the Safari WebKit engine where “processing maliciously crafted web content may lead to arbitrary code execution” was addressed with improved state management. Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). The bug was reported to Apple by three security researchers, nicknamed yangkang, zerokeeper and bianliang.
- CVE-2021-30663: This second flaw is also found in the open-source WebKit browser engine. It’s an integer overflow, reported by an anonymous researcher, that can also lead to RCE. It was addressed with improved input validation. Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
- CVE-2021-30666: A buffer-overflow issue was addressed with improved memory handling. Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation)
And here are details on the expanded patch for the fourth bug:
- CVE-2021-30661: A use after free issue was addressed with improved memory management. Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation). This flaw was discovered and reported to the iPhone maker by the security researcher named yangkang, @dnpushme, of Qihoo 360 ATA.
Apple’s support page shows that this fourth one was actually patched on Monday last week (April 26) in iOS 14.5 and macOS 11.3, but not in iOS 12.
Naked Security’s Paul Ducklin finds this one particularly interesting, and he noted that questions remain. Why wasn’t iOS 12 updated at the same time as iOS 14.5 and macOS 11.3? Did the security hole crop up in the code base after iOS 12 was released, perhaps?
No, that’s not it: the CVE-2021-30661 and CVE-2021-30666 bugs fixed on Monday only apply to iOS 12. So it remains unclear if the bug exists in recent operating system versions, or not, Ducklin said.
“Is this an old bug from iOS 12 that was carried forward into the current Apple codebase but has still not yet been patched there?” Ducklin pondered. “Or is it a bug that is unique to the older iOS 12 code that doesn’t appear in the more recent operating system releases and can therefore now be considered to have been eliminated everywhere?”
Threatpost has reached out to Apple for comment.
Per usual, Apple’s lip is zipped. But one thing’s for sure: Patching as soon as possible is top priority. As it is, the chance for websites passing along “maliciously crafted web content” is alarming. If you translate Apple’s statement that “processing maliciously crafted web content may lead to arbitrary code execution, “you get a “drive-by, web-based zero-day RCE exploit, according to Ducklin.
In other words, all you have to do to trigger infection is to visit and view a booby-trapped website.
John Kinsella, chief architect at cloud security company Accurics, says this is one of the nastier types of security bugs: one in which the user isn’t required to perform a certain action for an attacker’s success. “Part of the issue here is that it’s not just the browser that a user needs to be careful with,” he told Threatpost in an email on Tuesday. “Many iOS apps are just wrappers around a web application, which would be rendered by WebKit. For example, HTML mail in Apple’s Mail app will be rendered by WebKit, and this app is a hard one to avoid. Even if a user takes advantage of new iOS functionality to replace the default iOS Mail and Safari apps with other mail/browser apps, the underlying HTML rendering engine would still be WebKit-based on Apple’s App Store rules.”
Kinsella says that if he’s at all suspicious of something, he won’t open it on a mobile device, but rather on a desktop or laptop, where he has much more control. “That being said, I know I’m not the average user,” he said. “The best advice I have is to patch ASAP, and generally be very careful.”
Given that Apple has acknowledged that these vulnerabilities have already been exploited in the wild, and given the fact that HTML content is so prevalent on mobile devices, Kinsella considers a drive-by RCE like this to be a highly serious issue, though “The overall security of iOS means this isn’t a complete takeover of the mobile device.”
Still, every extra foothold an attacker can get “helps them further compromise a device,” he said. “The fact that malicious HTML can compromise something on my wrist doesn’t thrill me. Luckily Apple’s been quite consistent with the reliability of their patches in recent years, so while I may sometimes wait for others to ‘beta test’ a release, a security patch like this was applied to my devices ASAP.”
What is WebKit? The Little Engine That Could
Apple developed the WebKit browser engine to run in its Safari web browser, but it’s also used by Apple Mail, the App Store, and various apps on the macOS and iOS operating systems. This, of course, isn’t the first time that the engine has hit some bumps.
In January, Apple released an emergency update that patched three iOS bugs. Two of them (CVE-2021-1870 and CVE-2021-1871 ) were discovered in WebKit (and the third, tracked as CVE-2021-1782, was found in the OS kernel).
More recently, in March, Apple patched other severe WebKit RCEs. Similar to Monday’s updates, those WebKit fixes could have allowed remote attackers to completely compromise affected systems.
05-04-2021 14:52 UPDATE: Added input from Accurics’ John Kinsella.
Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” – a LIVE roundtable event on Wed, May 12 at 2:00 PM EDT. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.