Three Apple patches against zero-day threats


Urgently install updates to fix bugs affecting iPhones and Apple Watches.

Apple has updated its iOS and iPadOS operating systems to fix three zero-day security vulnerabilities that are actively exploited. The trio of flaws concerns different versions of iPhones and iPads and the latest generation of iPod touch.

“Apple is aware of a report according to which this problem has been actively exploited,” says Apple’s security alert, which describes each security flaw that is resolved with the release of version 14.4 of iOS and iPadOS.

Every device, connected or not, has vulnerabilities. It’s a fact, and that’s why updates are essential. Today, tomorrow, our refrigerators, our connected televisions, our vacuum cleaners, as well as our computers and smartphones require regular updates. In addition to bringing new functions, the update corrects the flaws discovered in our devices.

The list of affected devices includes iPhone 6 and above, iPad Air 2 and above, iPad mini 4 and above, and 7th generation iPod touch. The Cupertino-based tech giant has also released security updates for one of the vulnerabilities on a range of its other devices, including Apple Watch (watchOS 7.3) and Apple TVs (tvOS 14.4).

As usual, nothing is known about the perpetrators and targets of these zero-day attacks, which exploit flaws in the operating system kernel and WebKit browser engine.

The first flaw, identified as CVE-2021-1782 and located in the operating system kernel, is a race condition bug that could lead to privilege escalation, which could be exploited by an attacker using a malicious application. Simply put, this means that an attacker could use the app to gain additional privileges in the device’s operating system, which would allow it to do all kinds of damage.

Meanwhile, the other two security vulnerabilities, indexed as CVE-2021-1871 and CVE-2021-1870, reside in the WebKit component, Apple’s open-source web browsing engine used by Safari browser, Mail, and various other iOS and iPadOS apps. According to the description of the bug, it stems from a “logic problem” which could be exploited by a remote attacker and allow them to execute arbitrary code. According to Vulmon, the duo of loopholes could be exploited “by persuading a victim to visit a specially crafted website”.

Beyond the three zeros days, all of which have been uncovered by anonymous researchers, Apple has also released security patches for flaws in its Xcode and iCloud for Windows products.

The Hong Kong IT Emergency Response Team (HKCERT) has issued an alert classifying the vulnerabilities as “extremely high risk” and urging users of affected Apple devices to apply updates immediately. If you haven’t turned on automatic updates, you can update your devices manually by going to the Settings menu, then tapping on General and going to the Software Update section.

Apple previously fixed three other zero-day vulnerabilities that were actively exploited in the wild in November of last year.

Design by NewsLax