Apple has released a new update to patch two zero-day vulnerabilities in iOS, which if exploited could allow hackers to execute malicious code, even on fully up-to-date devices.

The update comes a week after Apple rolled out the major 14.5 update to its iOS and iPadOS platforms.  

Apple notes that both vulnerabilities originated in the Webkit browser engine that powers not just the Safari web browser, but also Mail and the App Store on iOS devices.

TechRadar needs you!

We’re looking at how our readers use VPN for a forthcoming in-depth report. We’d love to hear your thoughts in the survey below. It won’t take more than 60 seconds of your time.

>> Click here to start the survey in a new window<<

Tracked as CVE-2021-30663 and CVE-2021-30665, both of the zero-day vulnerabilities have now been patched. However, in its security notes, Apple says it is aware of a report that these issues may have been actively exploited in the wild.

Going after Apple

The two patched flaws follow another code-execution flaw Apple fixed last week, which also existed in the iOS Webkit and may have been actively exploited as well. 

In its security notes, Apple says that the newly patched vulnerabilities could be weaponized by processing maliciously crafted web content, which would have led to arbitrary code execution.

The iPhone maker acknowledges that one of the vulnerabilities was discovered by security researchers from Chinese security firm Qihoo 360. It credits the discovery of the other vulnerability to an anonymous researcher. 

Interestingly, based on figures published by Google’s Project Zero, Ars Technica, deduces that the three recently patched iOS vulnerabilities bring the number of actively exploited zero-day vulnerabilities in iOS to seven.

It extrapolates this to suggest that this makes iOS the second most targeted software by zero-day vulnerabilities in 2021, behind Chrome, which leads the pack with eight zero-days.

Via Ars Technica