Apple has released security updates for two iOS zero-day vulnerabilities that may have been actively exploited to break into older iOS devices. The two bugs, tracked as CVE-2021-30761 and CVE-2021-30762, are caused by memory corruption and use after free issues in the WebKit browser engine, both found and reported by anonymous researchers. WebKit is a browser rendering engine used by Apple web browsers and applications to render HTML content on desktop and mobile platforms, including iOS, macOS, tvOS, and iPadOS. Attackers could exploit the two vulnerabilities using maliciously crafted web content that would trigger arbitrary code execution after being loaded by the targets on unpatched devices. Impacted devices include older iPhones (iPhone 5s, iPhone 6, iPhone 6 Plus), iPads (iPad Air, iPad mini-2, iPad mini-3) and the iPod touch (6th generation). “Apple is aware of a report that this issue may have been actively exploited,” Apple said when describing the two iOS 12.5.4 vulnerabilities.
Users of these older iOS devices should immediately download and apply this update as soon as possible. Organizations that use older devices, operating systems or programs should consider updating these because many older systems have reached their end of life from the manufacturer and no longer receive security updates.