Security News > 2021 > September > Apple Patches 3 More Zero-Days Under Active Attack

Apple has patched three actively exploited zero-day security vulnerabilities in updates to iOS and macOS, one of which can allow an attacker to execute arbitrary code with kernel privileges.

Apple released two updates on Thursday: iOS 12.5.5, which patches three zero-days that affect older versions of iPhone and iPod devices, and Security Update 2021-006 Catalina for macOS Catalina, which patches one of same vulnerabilities, CVE-2021-30869, that also affects macOS. The XNU kernel vulnerability - the discovery of which was attributed to Google researchers Erye Hernandez and Clemente Lecigne of Google Threat Analysis Group and Ian Beer of Google Project Zero - is a type-confusion issue that Apple addressed with "Improved state handling," according to its advisory.

The issue tracked as CVE-2021-30858 is described by Apple as a use-after-free issue that the company addressed with improved memory management.

Citizen Lab detected the flaw - tracked by Apple as CVE-2021-30860, a flaw in CoreGraphics - targeting iMessaging in August.

The latest Apple security updates come on the heels of news earlier this week that it quietly slid out an incomplete patch for a zero-day vulnerability in its macOS Finder system - which hasn't fixed the problem yet.

"Even though Apple has been in the news a number of times over these zero-day vulnerabilities, software developers everywhere run into vulnerabilities in their code," he observed in an email to Threatpost.

News URL

https://threatpost.com/apple-patches-zero-days-attack/174988/