[BreachExchange] Apple Hurries Patches for Safari Bugs Under Active Attack

[Sophia Kingsbury]

https://threatpost.com/apple-patch-safari-active-attack/166922/

Apple patched two bugs impacting its Safari browser WebKit engine that it
said are actively being exploited.

Apple issued two out-of-band security fixes for its Safari web browser,
fixing zero-day vulnerabilities that “may have been actively exploited,”
according to a Monday security bulletin by the company. The bugs affect
sixth-generation Apple iPhones, iPads and iPod touch model hardware,
released between 2013 and 2018.

“Apple is aware of a report that this issue may have been actively
exploited,” the company wrote. Technical details of the two bugs, Apple
said, will not be released, “until an investigation has occurred and
patches or releases are available.”

Both bugs are tied to Apple’s Safari browser and the underlying iOS code,
called WebKit, which is responsible for rendering web pages. Apple is
crediting the discovery of both bugs (CVE-2021-30761 and CVE-2021-30762) to
an anonymous researcher.

The patch, iOS 12.5.4, is available for download.

Memory Corruption Bug: CVE-2021-30761
One of the bugs patched by Apple addresses a “memory corruption issue” and
improves the Apple WebKit state management.

“State management refers to the management of the state of one or more user
interface controls such as text fields, OK buttons, radio buttons, etc. in
a graphical user interface,” according to a technical description of the
term.

According to Apple, the patch for the bug, logged as CVE-2012-30761,
addresses a bug found in iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad
mini 2, iPad mini 3, and iPod touch (6th generation). This range of
hardware was released between 2013 and 2018.

Use After Free Flaw: CVE-2021-30762

The second flaw was identified as a use-after-free bug, which is a type of
memory corruption vulnerability. The bug, tracked as CVE-20121-30762,
allows an attacker to execute code on targeted devices. According to Apple,
adversaries may be exploiting this flaw on unpatched devices.

In its advisory Apple wrote: “Impact: Processed maliciously crafted web
content may lead to arbitrary code execution. Apple is aware of a report
that this issue may have been actively exploited.”

Apple added that the “use-after-free issue was addressed with improved
memory management.”

“[A] use-after-free is a vulnerability [is] related to incorrect use of
dynamic memory during program operation. If after freeing a memory
location, a program does not clear the pointer to that memory, an attacker
can use the error to hack the program,” according to a Kaspersky
description of this type of bug.

The iOS patch, distributed as a iOS 12.5.4 update, is for the same model
hardware as above: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini
2, iPad mini 3, and iPod touch (6th generation).

Apple is not releasing any additional details pertaining to these
vulnerabilities.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210615/ac08cbc2/attachment.html>