Cybercriminals have started exploiting vulnerabilities at will and to make it worse, they are now penetrating deeper by finding zero-day vulnerabilities. Owing to this, Apple is keeping no stone unturned to fix the zero-day bugs at the earliest and has released a new security update in iOS 12.5.4 for addressing three zero-day vulnerabilities affecting the ASN.1 decoder and the WebKit in Apple’s widely used products – iPhones, iPads, and the 6th generation iPod touch.
Patch Management for Apple’s Zero-day Vulnerabilities
The vulnerability patch from Apple mainly consists of three security fixes that are listed below with their respective CVEs:
- CVE-2021-30737 (ASN.1 Decoder Issue)
This vulnerability allowed processing a maliciously crafted certificate, which eventually would have allowed an attacker to carry out arbitrary code execution. It was found to be a memory corruption issue in the ASN.1 decoder and the vulnerable code has now been removed to fix the issue.
- CVE-2021-30761 and CVE-2021-30762 (Webkit Issue)
This vulnerability allowed processing maliciously crafted web content which could lead to arbitrary code execution. Apple says that it “is aware of a report that this issue may have been actively exploited.”
The CVE-2021-30761 was found to be a memory corruption issue that has been addressed with improved state management. Similarly, the CVE-2021-30762 is said to be used after the free issue, which has been addressed with improved memory management.
All these zero-day vulnerabilities were reported by anonymous researchers and were mainly targeted at Apple’s older devices listed below:
Devices impacted: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).
Besides releasing the patches for these zero-day vulnerabilities, Apple has also issued multiple security updates since the beginning of the year for its various operating systems, including the macOS, watchOS, and tvOS. Users are recommended to update their respective devices to the latest versions available.