Apple Ships Emergency Fixes for Under-Attack iOS Zero-Day


iOS Vulnerabilities Exploited in the Wild

Apple on Tuesday dropped emergency security patches for its flagship iOS and iPad OS platforms alongside a warning that hackers may already be exploiting three different security vulnerabilities.

The patches — contained in iOS 14.4 and iPadOS 14.4 — are currently being pushed to mobile users via the automatic updating mechanism.  

Apple did not provide technical details of the vulnerabilities or the in-the-wild attacks, except to identify the flaws in the Kernel and in WebKit, the open-source web browser engine used in Safari, Mail, AppStore and a range of MacOS and iOS apps.

Here are the bare-bones details from Apple:

CVE-2021-1782 (Kernel)  — Impact: A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited.  Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation).  Anonymously reported.

CVE-2021-1871 and CVE-2021-1870 (WebKit) —  Impact: A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.  Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation).   Reported by anonymous researchers.

Apple has promised additional details will be available soon.

Related: Zerodium Expects iOS Exploit Prices to Drop as It Announces Surplus

Related: Zero-Day Vulnerabilities in iOS Mail App Exploited in Targeted Attacks

view counter

Ryan Naraine is a journalist and cybersecurity strategist with more than 20 years experience covering IT security and technology trends. He is the host of the Security Conversations podcast and a regular speaker at cybersecurity conferences around the world.

Ryan has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and Kaspersky GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan’s career as a journalist includes bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive’s ZDNet, PCMag and PC World. Follow Ryan on Twitter @ryanaraine.

Previous Columns by Ryan Naraine:
Tags:



Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *