Security News > 2021 > September > Apple Patches 3 More Zero-Days Under Active Attack
Apple has patched three actively exploited zero-day security vulnerabilities in updates to iOS and macOS, one of which can allow an attacker to execute arbitrary code with kernel privileges.
Apple released two updates on Thursday: iOS 12.5.5, which patches three zero-days that affect older versions of iPhone and iPod devices, and Security Update 2021-006 Catalina for macOS Catalina, which patches one of same vulnerabilities, CVE-2021-30869, that also affects macOS. The XNU kernel vulnerability - the discovery of which was attributed to Google researchers Erye Hernandez and Clemente Lecigne of Google Threat Analysis Group and Ian Beer of Google Project Zero - is a type-confusion issue that Apple addressed with "Improved state handling," according to its advisory.
The issue tracked as CVE-2021-30858 is described by Apple as a use-after-free issue that the company addressed with improved memory management.
Citizen Lab detected the flaw - tracked by Apple as CVE-2021-30860, a flaw in CoreGraphics - targeting iMessaging in August.
The latest Apple security updates come on the heels of news earlier this week that it quietly slid out an incomplete patch for a zero-day vulnerability in its macOS Finder system - which hasn't fixed the problem yet.
"Even though Apple has been in the news a number of times over these zero-day vulnerabilities, software developers everywhere run into vulnerabilities in their code," he observed in an email to Threatpost.
News URL
https://threatpost.com/apple-patches-zero-days-attack/174988/
Related news
- Apple fixes two zero-days used in attacks on Intel-based Macs (source)
- Apple Patches Two Zero-Day Attack Vectors (source)
- Google fixes two Android zero-days used in targeted attacks (source)
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)
- Palo Alto Networks warns of critical RCE zero-day exploited in attacks (source)
- Palo Alto Networks patches two firewall zero-days used in attacks (source)
- Apple Releases Urgent Updates to Patch Actively Exploited Zero-Day Vulnerabilities (source)
- Apple fixes 2 zero-days exploited to breach macOS systems (CVE-2024-44309, CVE-2024-44308) (source)
- Japan warns of IO-Data zero-day router flaws exploited in attacks (source)
- Fully patched Cleo products under renewed 'zero-day-ish' mass attack (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-08-24 | CVE-2021-30860 | Integer Overflow or Wraparound vulnerability in multiple products An integer overflow was addressed with improved input validation. | 7.8 |
2021-08-24 | CVE-2021-30858 | Use After Free vulnerability in multiple products A use after free issue was addressed with improved memory management. | 8.8 |
2021-08-24 | CVE-2021-30869 | Type Confusion vulnerability in Apple products A type confusion issue was addressed with improved state handling. | 7.8 |