Apple Inc. has released a minor update to iOS as well as iPadOS which brings the version to iOS 14.5.1. Besides addressing an App Tracking Transparency framework bug, the incremental update also fixes two major security vulnerabilities.
The iOS 14.5 update added features such as Apple Watch Unlock, Siri improvements, and many more. But Apple has quickly released a small but critically important security update with Build Number 18E212. Incidentally, the company has also simultaneously released macOS 11.3.1 with security patches.
Why did Apple Inc. send out 14.5.1, a small update, immediately after the iOS 14.5 feature update?
The iPhone and the iPad maker had released an important update barely a week ago tagged iOS and iPadOS 14.5. The update was a very important one not just for consumers but also for Apple.
The iOS 14.5 update marks a remarkable shift in the way consumers control their own privacy while using modern-day smartphones and tablets. The iOS 14.5 update, for the first time, allows users to deny access to “tracking”.
Apple has released iOS 14.5.1, which adds minor security updates. iPadOS 14.5.1, watchOS 7.4.1, macOS 11.3.1, iOS 12.5.3, and iPadOS 12.5.3 are also available pic.twitter.com/xTbqSDnzRL
— Apple Hub (@theapplehub) May 3, 2021
Despite sending out a major update barely a week ago, Apple has rushed out a minor incremental update. Reports indicate the company has included fixes to two security vulnerabilities.
The two major vulnerabilities in iOS and iPadOS 14.5, could have allowed malicious parties to remotely execute code. Simply put, hackers could have successfully targeted and taken over a victim’s device.
Security vulnerabilities in iOS and iPadOS targeted WebKit:
The 14.5.1 update on Monday patches two zero-day (0Day) vulnerabilities in WebKit. Apple relies heavily on this rendering software. It essentially decides how to render web content in apps like Safari, the App Store, and others.
Apple Inc. hasn’t offered many details about the security vulnerabilities. However, the company has tagged the bugs as CVE-2021-30663 and CVE-2021-30665 in update notes.
Both the vulnerabilities have identical “impact lists”. Although Apple doesn’t specifically say so, hackers may have exploited them “in the wild”.
Apple reports two iOS zerodays that both allow attackers to remotely execute malicious code on fully-patched devices. Update to iOS 14.5.1. https://t.co/RvTKqCKqmK pic.twitter.com/vEHGD4Qajm
— Dan Goodin (@dangoodin001) May 3, 2021
One security flaw was a “memory corruption issue”. Apple fixed the same “with improved state management”. Researchers from Chinese firm Qihoo 360 had alerted Apple about the bug.
An anonymous engineer alerted Apple about the second security vulnerability. Apple indicated, “an integer overflow was addressed with improved input validation”.
Incidentally, Apple also released iOS 12.5.3 for older generations of iPhones that are incompatible with iOS 14.5. This incremental update too had a fix for another issue tagged CVE-2021-30666.
Apple releases iOS 14.5.1 with fix for grayed out App Tracking Transparency toggle https://t.co/f87bsBTzrn by @ChanceHMiller
— 9to5Mac.com (@9to5mac) May 3, 2021
Multiple media reports have claimed that the iOS and iPadOS 14.5.1 update address a bug in the recently introduced App Tracking Transparency framework.
“This update fixes an issue with App Tracking Transparency where some users who previously disabled Allow Apps to Request to Track in Settings may not receive prompts from apps after re-enabling it. This update also provides important security updates and is recommended for all users.”
However, a few social media users have claimed that the system-wide setting for ATT continues to remain grayed out. This indicates Apple may have focused on the security aspects rather than addressing the bug that a few users are facing.