Apple Patches 3 More Zero-Days Under Active Attack

3 weeks ago

One of the bugs, which affects macOS arsenic good arsenic older versions of iPhones, could let an attacker to execute arbitrary codification with kernel privileges.

Apple has patched 3 actively exploited zero-day information vulnerabilities successful updates to iOS and macOS, 1 of which tin let an attacker to execute arbitrary codification with kernel privileges.

Apple released 2 updates connected Thursday: iOS 12.5.5, which patches 3 zero-days that impact older versions of iPhone and iPod devices, and Security Update 2021-006 Catalina for macOS Catalina, which patches 1 of aforesaid vulnerabilities, CVE-2021-30869, that besides affects macOS.

The XNU kernel vulnerability — the find of which was attributed to Google researchers Erye Hernandez and Clemente Lecigne of Google Threat Analysis Group and Ian Beer of Google Project Zero — is simply a type-confusion contented that Apple addressed with “improved authorities handling,” according to its advisory.

“A malicious exertion whitethorn beryllium capable to execute arbitrary codification with kernel privileges,” the institution said. “Apple is alert of reports that an exploit for this contented exists successful the wild.”

The flaw besides affects the WebKit browser engine, which is apt wherefore it caught the attention of the Google researchers. The contented affects macOS Catalina arsenic good arsenic iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod interaction (6th generation).

Pegasus Zero-Day Patched for Older Devices

Another zero-day flaw patched successful the iOS update besides affects WebKit connected the aforesaid older iOS devices. The contented tracked arsenic CVE-2021-30858 is described by Apple arsenic a use-after-free contented that the institution addressed with improved representation management. It allows an attacker to process maliciously crafted web contented that whitethorn pb to arbitrary codification execution, according to Apple’s advisory.

“Apple is alert of a study that this contented whitethorn person been actively exploited,” the institution said.

A 3rd bug patched successful the iOS update — a zero-click exploit discovered by Citizen Lab — already made headlines earlier this period erstwhile Apple issued a bid of exigency patches connected Sept. 13 for it to screen the latest devices moving iOS and macOS.

The vulnerability allows for an attacker to process a maliciously crafted PDF that whitethorn pb to arbitrary codification execution. The hole issued Thursday for the integer-overflow bug “was addressed with improved input validation,” according to Apple, and covers older devices: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod interaction (6th generation).

Citizen Lab detected the flaw — tracked by Apple arsenic CVE-2021-30860, a flaw successful CoreGraphics — targeting iMessaging successful August. Researchers dubbed it ForcedEntry and alleged that it had been utilized to illegally spy connected Bahraini activists with NSO Group’s Pegasus spyware.

Keeping Up with 0-Days

The latest Apple information updates travel connected the heels of news earlier this week that it softly slid retired an incomplete spot for a zero-day vulnerability successful its macOS Finder strategy — which hasn’t fixed the occupation yet. It could let distant attackers to instrumentality users into moving arbitrary commands.

Indeed Apple, similar galore different vendors, spends a batch of its clip trying to support up with information vulnerabilities—something astatine which it “does a large job,” noted Hank Schless, elder manager of information solutions astatine endpoint-to-cloud information steadfast Lookout.

“Even though Apple has been successful the quality a fig of times implicit these zero-day vulnerabilities, bundle developers everyplace tally into vulnerabilities successful their code,” helium observed successful an email to Threatpost.

However, these patches are worthy thing and firm information is astatine hazard if radical don’t update their mobile devices successful particular, arsenic soon arsenic fixes for actively exploited flaws are available, Schless warned.

“People often disregard them until they’re forced to update,” helium said. “This could beryllium risky to an endeavor that allows its employees to entree firm resources from their mobile devices…[which is] conscionable astir each endeavor retired there.”

Rule #1 of Linux Security: No cybersecurity solution is viable if you don’t person the basics down. JOIN Threatpost and Linux information pros astatine Uptycs for a LIVE roundtable connected the 4 Golden Rules of Linux Security. Your apical takeaway volition beryllium a Linux roadmap to getting the basics right! REGISTER NOW and articulation the LIVE lawsuit connected Sept. 29 astatine Noon EST. Joining Threatpost is Uptycs’ Ben Montour and Rishi Kant who volition spell retired Linux information champion practices and instrumentality your astir pressing questions successful existent time.