Similar updates were released for watchOS 7.4.1, iPadOS 14.5.1, macOS Big Sur 11.3.1 and even for older devices with iOS 12.5.3. The vulnerabilities were in the WebKit engine and allowed remote code execution when visiting a malicious website. They received CVE identifiers CVE-2021-30665 and CVE-2021-30663.
The first was found by experts from Chinese Qihoo 360, the second by an anonymous researcher. Apple does not disclose whether they were actually exploited during the week the system was available, and does not add details about the nature of the bugs.
Along with the update, CVE-2021-30661 in App Tracking Transparency was also fixed. It is now possible to refuse tracking without repeated requests. Apple supports transparency, but ArsTechnica claims that some of the shortcomings remained even in iOS 14.5.1.
Google Project Zero summarized that the recent vulnerabilities bring the number of zero-days in iOS to seven. In total, 22 vulnerabilities were found in Apple in 2021, a third of them on mobile – which places the company's software second in availability to hackers, after Chrome with eight serious issues.
