Security News > 2021 > September > Apple Patches 3 More Zero-Days Under Active Attack
Apple has patched three actively exploited zero-day security vulnerabilities in updates to iOS and macOS, one of which can allow an attacker to execute arbitrary code with kernel privileges.
Apple released two updates on Thursday: iOS 12.5.5, which patches three zero-days that affect older versions of iPhone and iPod devices, and Security Update 2021-006 Catalina for macOS Catalina, which patches one of same vulnerabilities, CVE-2021-30869, that also affects macOS. The XNU kernel vulnerability - the discovery of which was attributed to Google researchers Erye Hernandez and Clemente Lecigne of Google Threat Analysis Group and Ian Beer of Google Project Zero - is a type-confusion issue that Apple addressed with "Improved state handling," according to its advisory.
The issue tracked as CVE-2021-30858 is described by Apple as a use-after-free issue that the company addressed with improved memory management.
Citizen Lab detected the flaw - tracked by Apple as CVE-2021-30860, a flaw in CoreGraphics - targeting iMessaging in August.
The latest Apple security updates come on the heels of news earlier this week that it quietly slid out an incomplete patch for a zero-day vulnerability in its macOS Finder system - which hasn't fixed the problem yet.
"Even though Apple has been in the news a number of times over these zero-day vulnerabilities, software developers everywhere run into vulnerabilities in their code," he observed in an email to Threatpost.
News URL
https://threatpost.com/apple-patches-zero-days-attack/174988/
Related news
- Apple fixes two zero-days used in attacks on Intel-based Macs (source)
- Apple Patches Two Zero-Day Attack Vectors (source)
- Rackspace monitoring data stolen in ScienceLogic zero-day attack (source)
- Qualcomm patches high-severity zero-day exploited in attacks (source)
- Ivanti warns of three more CSA zero-days exploited in attacks (source)
- Mozilla fixes Firefox zero-day actively exploited in attacks (source)
- Firefox Zero-Day Under Attack: Update Your Browser Immediately (source)
- CISA Adds ScienceLogic SL1 Vulnerability to Exploited Catalog After Active Zero-Day Attack (source)
- Fortinet warns of new critical FortiManager flaw used in zero-day attacks (source)
- Fortinet FortiManager flaw exploited in zero-day attacks (CVE-2024-47575) (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-08-24 | CVE-2021-30860 | Integer Overflow or Wraparound vulnerability in multiple products An integer overflow was addressed with improved input validation. | 7.8 |
| 2021-08-24 | CVE-2021-30858 | Use After Free vulnerability in multiple products A use after free issue was addressed with improved memory management. | 8.8 |
| 2021-08-24 | CVE-2021-30869 | Type Confusion vulnerability in Apple products A type confusion issue was addressed with improved state handling. | 7.8 |