Apple has addressed three zero-day vulnerabilities in its iOS operating system that have been exploited in the wild.
Apple has addressed three zero-day vulnerabilities in iOS that have been exploited in the wild with the release of security updates (iOS 14.4).
The first zero-day issue, tracked as CVE-2021-1782, is a race condition that resides in the iOS operating system kernel.
“A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited.” reads the advisory. “A race condition was addressed with improved locking.”
Apple security update is available for iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation).
The other two zero-day flaws, tracked as CVE-2021-1870 and CVE-2021-1871 respectively, reside in the WebKit browser engine.
Both issues are logic issues that could be exploited by remote attackers to execute arbitrary code inside users’ Safari browsers.
“A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.” reads tthe advisory.
Security updates are available for iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation).
All three zero-days have been reported to the IT giant by an anonymous researcher.
Apple did not disclose technical details of the attacks in the wild, threat actors likely chained the flaws to deliver malicious code into web browsers of users visiting specially crafted websites and escalate privileged to run malicious code.
In November, Apple addressed other three zero-day vulnerabilities in its mobile OS that have been abused in attacks in the wild
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, zero-day)
Share On
Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at “Cyber Defense Magazine”, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US. Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”.
Apple has addressed three zero-day vulnerabilities in its iOS operating system that have been exploited in the wild.
Apple has addressed three zero-day vulnerabilities in iOS that have been exploited in the wild with the release of security updates (iOS 14.4).
The first zero-day issue, tracked as CVE-2021-1782, is a race condition that resides in the iOS operating system kernel.
“A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited.” reads the advisory. “A race condition was addressed with improved locking.”
Apple security update is available for iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation).
The other two zero-day flaws, tracked as CVE-2021-1870 and CVE-2021-1871 respectively, reside in the WebKit browser engine.
Both issues are logic issues that could be exploited by remote attackers to execute arbitrary code inside users’ Safari browsers.
“A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.” reads tthe advisory.
Security updates are available for iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation).
All three zero-days have been reported to the IT giant by an anonymous researcher.
Apple did not disclose technical details of the attacks in the wild, threat actors likely chained the flaws to deliver malicious code into web browsers of users visiting specially crafted websites and escalate privileged to run malicious code.
In November, Apple addressed other three zero-day vulnerabilities in its mobile OS that have been abused in attacks in the wild
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, zero-day)