Apple published iOS and iPadOS 15.3.1 to patch a serious ACE vulnerability (arbitrary code execution) in iOS. The bug allows hackers to execute code on devices via Chrome, Firefox, Safari and other major browsers.

Apple’s policy forbids the organization from sharing details about vulnerabilities currently under investigation. Hence, our information is limited. We know that iOS 15.3.1 contains a patch for a ACE vulnerability in WebKit, the iOS engine for Safari, Chrome, Firefox, and most major browsers. The attack surface is huge, as WebKit is incorporated in nearly all iPhones, iPads, Macbooks and iMacs.

iOS 15.3.1 patch

Apple recommends running the update as soon as possible on all models since the iPhone 6s, iPad Pro, iPad Air 2, iPad 5th gen and iPad mini 4. Most devices will receive an automatic update. If you do not receive the update, navigate to ‘Settings’, then ‘General’ and finally ‘Software update’ to retrieve the patch.

As mentioned earlier, Apple does not disclose how the vulnerability can be exploited. On the other hand, its impact is made clear. “Processing maliciously crafted web content may lead to arbitrary code execution”, Apple states. “We are aware of a report that this issue may have been actively exploited.”

New year, same problem?

This is far from the first time that WebKit has caused a threat in iOS. The engine’s past is rife with bugs. One of the earlier incidents is strikingly similar to the current problem. In March 2021, Apple published a patch for a threat with the same description as today’s vulnerability. Back then, the bug created the risk of memory corruption. CVSS gave the vulnerability a score of 8.8.