Apple has fixed several more zero-day vulnerabilities in its iOS operating system which the company says could have been “actively exploited” to break into older iOS devices.
In its security advisory, Apple said threat actors could exploit the two vulnerabilities, tracked as CVE-2021-30761 and CVE-2021-30762, through maliciously crafted web content that would trigger arbitrary code execution on unpatched devices
The vulnerabilities impact older iOS devices running iOS 12.5.4 according to the advisory, including iPhone 5S, 6, 6 Plus, iPad Air, the iPad Mini 2, and iPad Mini 3, and the 6th generation iPod touch.
Apple notes that while CVE-2021-30761 is a memory corruption issue, CVE-2021-30762 is a “use after free issue” and credits the discovery of both to anonymous researchers.
String of zero-days
Bleeping Computer notes that Apple has fixed a string of zero-day vulnerabilities this year. Surprisingly many of the earlier ones concerned the WebKit web browser engine as well.
Before patching these latest ones, Apple patched another two last month in May, which along with another vulnerability in late April also existed in WebKit.
Not surprisingly, just like these latest vulnerabilities, Apple had also previously acknowledged reports of the earlier zero-days being exploited in the wild as well.
In fact, as per Bleeping Computer the latest round of vulnerabilities bring the total number of iOS zero-days patched this year to nine, with most of them tagged as having been exploited in the wild.
The latest round of iOS fixes even prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to put out an advisory urging users to “apply the necessary updates.”
