Apple releases iOS 15.3 and iPadOS 15.3 to address critical security bugs

The security holes plugged include Safari web browsing leak that enabled attackers to steal information about user's recent browsing history

Apple has started rolling out a new set of updates for its mobile devices, which come in the form of iOS 15.3 and iPadOS 15.3.

The updates, which offer several bug fixes, performance improvements and security enhancements, are available for devices that are still supported by the company.

According to Apple, iOS 15.3 patches 10 notable security vulnerabilities ranging from the Safari web browsing leak to a bug that can give malicious programmes root privileges, and more.

Earlier this month, security researchers disclosed details of a weakness in Apple's Safari browser that enabled attackers to steal information about user's recent browsing history, and even some details of their logged-in accounts, like Google ID.

The vulnerability, which was uncovered by FingerprintJS researchers, stemmed from an issue with Apple's implementation of a JavaScript API called IndexedDB, which is part of Apple's WebKit.

As a result of the bug, any website that uses IndexedDB could access the names of IndexedDB databases created by other sites during a user's browsing session, according to researchers.

The vulnerability affected Safari as well as third-party browsers like Chrome on iOS 15 and iPadOS 15, as Apple requires all browsers on the iPhone and iPad to use WebKit.

The Cupertino-based technology giant says the security hole has now been plugged with iOS 15.3.

Since this bug impacted nearly all iOS 15 devices, users are advised to treat the update as important and install it immediately.

Beyond the Safari web browsing bug, iOS 15.3 addresses a few other security issues, some of which have already been exploited by malicious actors.

In the release notes, Apple says that the update addresses an iCloud bug that could enable an app to access a user's files without permission.

Additionally, the latest update also fixes the following issues:

• a bug in the iOS Crash Reporter that could allow malicious actors to gain root privileges
• a memory corruption issue in ColorSync feature that lets a maliciously crafted file to execute arbitrary code when processed
• a memory corruption issue in IOMobileFrameBuffer that lets a malicious application to execute arbitrary code with kernel privileges
• a buffer overflow issue that lets an app execute arbitrary code with kernel privileges
• an information disclosure issue that leads to unexpected application termination or arbitrary code execution when a maliciously crafted STL file is processed
• a validation issue in WebKit that could lead to arbitrary JavaScript execution when a maliciously crafted mail message is processed
• a use after free issue in WebKit that could lead to arbitrary code execution when maliciously crafted web content is processed

In October, Apple released iOS 15.0.2 and iPadOS 15.0.2 to address a zero-day bug (CVE-2021-30883) that it said was being exploited in the wild.

And one month prior to that, the iPhone maker released a suite of new updates for iOS, watchOs and macOS to fix a critical bug that security researchers said was exploited by spyware to spy on a Saudi activist.

Also in September, a security researcher dropped PoC exploit code for three iOS zero-day bugs after Apple delayed patching and failed to credit the researcher.