Security News > 2021 > September > Apple Patches 3 More Zero-Days Under Active Attack

Apple Patches 3 More Zero-Days Under Active Attack
2021-09-24 11:29

Apple has patched three actively exploited zero-day security vulnerabilities in updates to iOS and macOS, one of which can allow an attacker to execute arbitrary code with kernel privileges.

Apple released two updates on Thursday: iOS 12.5.5, which patches three zero-days that affect older versions of iPhone and iPod devices, and Security Update 2021-006 Catalina for macOS Catalina, which patches one of same vulnerabilities, CVE-2021-30869, that also affects macOS. The XNU kernel vulnerability - the discovery of which was attributed to Google researchers Erye Hernandez and Clemente Lecigne of Google Threat Analysis Group and Ian Beer of Google Project Zero - is a type-confusion issue that Apple addressed with "Improved state handling," according to its advisory.

The issue tracked as CVE-2021-30858 is described by Apple as a use-after-free issue that the company addressed with improved memory management.

Citizen Lab detected the flaw - tracked by Apple as CVE-2021-30860, a flaw in CoreGraphics - targeting iMessaging in August.

The latest Apple security updates come on the heels of news earlier this week that it quietly slid out an incomplete patch for a zero-day vulnerability in its macOS Finder system - which hasn't fixed the problem yet.

"Even though Apple has been in the news a number of times over these zero-day vulnerabilities, software developers everywhere run into vulnerabilities in their code," he observed in an email to Threatpost.


News URL

https://threatpost.com/apple-patches-zero-days-attack/174988/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-08-24 CVE-2021-30860 Integer Overflow or Wraparound vulnerability in multiple products
An integer overflow was addressed with improved input validation.
local
low complexity
apple xpdfreader freedesktop CWE-190
7.8
2021-08-24 CVE-2021-30858 Use After Free vulnerability in multiple products
A use after free issue was addressed with improved memory management.
network
low complexity
apple fedoraproject debian CWE-416
8.8
2021-08-24 CVE-2021-30869 Type Confusion vulnerability in Apple products
A type confusion issue was addressed with improved state handling.
local
low complexity
apple CWE-843
7.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Apple 72 238 1567 2279 265 4349