Security News > 2021 > May > Apple fixes four zero-days under attack
A week after Apple patched a macOS zero-day exploited by Shlayer malware for months for months, the company has released new security updates for macOS, iOS, iPadOS and watch OS that plug four additional zero-days that "May have been actively exploited".
CVE-2021-30665 - a memory corruption issue in WebKit that could lead to arbitrary code execution when a user views maliciously crafted web content.
WatchOS 7.4.1 plugs only the first of those security holes, while iOS 12.5.3 fixes both, as well as two other vulnerabilities that may have been exploited in the wild: CVE-2021-30666 and CVE-2021-30661, both of which may lead to arbitrary code execution when a user loads maliciously crafted web content.
WebKit is a browser engine developed by Apple and used by Safari on macOS, iOS and iPadOS. Though watchOS doesn't have the Safari app, it has WebKit so that Apple Watch users can open web content on the device.
As per usual, Apple has not shared specific details about the fixed flaws or explained in which attacks they are being exploited.
Users are advised to update their Apple devices as soon as possible.
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/1w7C6A59IQc/
Related news
- Apple fixes two zero-days exploited in targeted iPhone attacks (source)
- Apple plugs zero-day holes used in targeted iPhone attacks (CVE-2025-31200, CVE-2025-31201) (source)
- Apple Patches Two Zero-Days Used in ‘Extremely Sophisticated’ Attacks (source)
- Apple backports zero-day patches to older iPhones and Macs (source)
- Google fixes Android zero-days exploited in attacks, 60 other flaws (source)
- Apple Patches Two Actively Exploited iOS Flaws Used in Sophisticated Targeted Attacks (source)
- Phishing detection is broken: Why most attacks feel like a zero day (source)
- DslogdRAT Malware Deployed via Ivanti ICS Zero-Day CVE-2025-0282 in Japan Attacks (source)
- SAP fixes suspected Netweaver zero-day exploited in attacks (source)
- Craft CMS RCE exploit chain used in zero-day attacks to steal data (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-09-08 | CVE-2021-30666 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple Iphone OS A buffer overflow issue was addressed with improved memory handling. | 8.8 |
| 2021-09-08 | CVE-2021-30665 | Out-of-bounds Write vulnerability in Apple products A memory corruption issue was addressed with improved state management. | 8.8 |
| 2021-09-08 | CVE-2021-30661 | Use After Free vulnerability in Apple products A use after free issue was addressed with improved memory management. | 8.8 |