There are several reasons to update to the latest version of an operating system as soon as it rolls out, from big new features to bug fixes, but none are more pressing than patches for vulnerabilities that could put your personal data at risk. This Monday, Apple released iOS 14.5.1, and while the point of the update seemed to be fixing an App Tracking Transparency bug, Apple also patched two zero-days that might have been actively exploited.
As Apple revealed on a support page, iOS 14.5.1 addresses two vulnerabilities affecting WebKit, which is the browser engine that powers Safari and renders web content in other first-party apps. CVE-2021-30665 and CVE-2021-30663 were both patched in the update, so download and install iOS 14.5.1 now if you haven’t already.
Here’s how Apple described the two zero-day vulnerabilities and their potential impact on the iPhone:
WebKit
- Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
- Description: A memory corruption issue was addressed with improved state management.
- CVE-2021-30665: yangkang (@dnpushme)&zerokeeper&bianliang of 360 ATA
WebKit
- Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
- Description: An integer overflow was addressed with improved input validation.
- CVE-2021-30663: an anonymous researcher
As noted by Ars Technica, Google’s team of security analysts known as Project Zero has been tracking these exploits all year long, and of the 21 zero-days that have been uncovered in 2021 to date, a third of them have affected Apple’s mobile operating system. Microsoft is the only company to appear on the list more often than Apple, while Google and Adobe combine for six appearances so far. Apple is certainly being kept on its toes.
This should be reason enough to update to iOS 14.5.1 immediately, but the new version of iOS also promises to fix a bug that has been plaguing users over the last week after iOS 14.5 rolled out to the public:
This update fixes an issue with App Tracking Transparency where some users who previously disabled Allow Apps to Request to Track in Settings may not receive prompts from apps after re-enabling it.
Unfortunately, some users still see the toggle described above as grayed out on their phones, and it’s not clear why. Apple has released a support document explaining what might cause the setting to be disabled, from being under age 18 to having an Apple ID that’s less than three days old, but whatever the case, reports from around the internet make it clear that iOS 14.5.1 didn’t solve the problem for everyone. Plus, some users are running into a brand new issue causing visual bugs on the Software Update section of the Settings app.